A proposed standard which allows iOS applications to define security policies.

Your security.plist file has been copied to your clipboard!


“When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.plist defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.”

security.txt files have been implemented by Google, Facebook, GitHub, the UK government, and many other organisations. In addition, the UK’s Ministry of Justice, the Cybersecurity and Infrastructure Security Agency (US), the French government, the Italian government, the Dutch government, and the Australian Cyber Security Centre endorse the use of security.txt files.

Step 1

Create a property list file called security.plist and drag-and-drop it to your .xcodeproj or .xcworkspace project files.

Recent changes to the specification

The date format for Expires has changed to ISO 8601. An example of the new format is Expires: 2021-12-31T18:37:07.000Z.

Contact Required

A link or e-mail address for people to contact you about security issues. Remember to include "https://" for URLs, and "mailto:" for e-mails. See the full description of Contact

Expires Required Only 1 allowed

The date and time when the content of the security.txt file should be considered stale (so security researchers should then not trust it). Make sure you update this value periodically and keep your file under review. See the full description of Expires

Encryption Optional

A link to a key which security researchers should use to securely talk to you. Remember to include "https://". See the full description of Encryption

Acknowledgments Optional

A link to a web page where you say thank you to security researchers who have helped you. Remember to include "https://". See the full description of Acknowledgments

Preferred-Languages Optional Only 1 allowed

A comma-separated list of language codes that your security team speaks. You may include more than one language. See the full description of Preferred-Languages

Policy Optional

A link to a policy detailing what security researchers should do when searching for or reporting security issues. Remember to include "https://". See the full description of Policy

Hiring Optional

A link to any security-related job openings in your organisation. Remember to include "https://". See the full description of Hiring

CSAF Optional

A link to the provider-metadata.json of your CSAF (Common Security Advisory Framework) provider. Remember to include "https://". See the full description of CSAF

Step 2

You are ready to go! Publish your security.plist file. If you want to give security researchers confidence that your security.plist file is authentic, and not planted by an attacker, consider digitally signing the file with an OpenPGP cleartext signature.

Frequently asked questions

What is the main purpose of security.plist?

The main purpose of security.plist is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.plist, security researchers can easily get in touch with companies about security issues.

Where should I put the security.plist file?

For iOS applications, the security.plist file should be placed at the root of .xcodeproj or .xcworkspace project files.

Are there any settings I should apply to the file?

The security.plist file should be at least plist version="1.0".

Will adding an email address expose me to spam bots?

The email value is an optional field. If you are worried about spam, you can set a URI as the value and link to your security policy.