“When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.plist defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.”
security.txt
files have been implemented by Google,
Facebook,
GitHub,
the UK
government, and many other organisations. In addition, the
UK’s
Ministry of Justice, the Cybersecurity
and Infrastructure Security Agency (US), the French
government, the Italian
government, the Dutch government, and the Australian
Cyber Security Centre endorse the use of security.txt files.
Create a property list file called security.plist
and drag-and-drop it to your .xcodeproj
or .xcworkspace
project files.
You are ready to go! Publish your security.plist file. If you want to give security researchers confidence that your security.plist file is authentic, and not planted by an attacker, consider digitally signing the file with an OpenPGP cleartext signature.
The main purpose of security.plist is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.plist, security researchers can easily get in touch with companies about security issues.
For iOS applications, the security.plist file should be placed at the root of .xcodeproj
or .xcworkspace
project files.
The security.plist file should be at least plist version="1.0"
.
The email value is an optional field. If you are worried about spam, you can set a URI as the value and link to your security policy.