A proposed standard which allows iOS applications to define security policies.

Your security.plist file has been copied to your clipboard!


β€œWhen security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.plist defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.”

Step 1

Create a property list file called security.plist and drag-and-drop it to your .xcodeproj or .xcworkspace project files.

Contact Required

A link or e-mail address for people to contact you about security issues. Remember to include "https://" for URLs, and "mailto:" for e-mails. See the full description of Contact

Encryption Optional

A link to a key which security researchers should use to securely talk to you. Remember to include "https://". See the full description of Encryption

Acknowledgments Optional

A link to a web page where you say thank you to security researchers who have helped you. Remember to include "https://". See the full description of Acknowledgments

Preferred-Languages Optional Only 1 allowed

A comma-separated list of language codes that your security team speaks. You may include more than one language. See the full description of Preferred-Languages

Policy Optional

A link to a policy detailing what security researchers should do when searching for or reporting security issues. Remember to include "https://". See the full description of Policy

Hiring Optional

A link to any security-related job openings in your organisation. Remember to include "https://". See the full description of Hiring

Step 2

You are ready to go! Publish your security.plist file. If you want to give security researchers confidence that your security.plist file is authentic, and not planted by an attacker, consider digitally signing the file with an OpenPGP cleartext signature.

Frequently asked questions

What is the main purpose of security.plist?

The main purpose of security.plist is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.plist, security researchers can easily get in touch with companies about security issues.

Where should I put the security.plist file?

For iOS applications, the security.plist file should be placed at the root of .xcodeproj or .xcworkspace project files.

Are there any settings I should apply to the file?

The security.plist file should be at least plist version="1.0".

Will adding an email address expose me to spam bots?

The email value is an optional field. If you are worried about spam, you can set a URI as the value and link to your security policy.