When bug-bounty hunters and other security researchers need to disclose a vulnerability to an organization, they often can’t find an email address to conduct an organization through. The concept of security.txt originated from the need to streamline communication between security researchers and organizations. An idea was submitted to the Internet Engineering Task Force (IETF) to create a file like robots.txt, which tell search engines which paths they can search on, which would allow security researchers to contact an organization if a problem were discovered. Over the years, many organizations, including prominent tech giants, have adopted the file, further validating its utility and importance in promoting responsible vulnerability disclosure.
The Digital Trust Center of the National Government of The Netherlands announced that all Dutch government websites must have this file from 25 May 2023. The obligation comes from the Central Government Standardization Forum and is in line with the Government Information Security Baseline.
