Security.txt: a mandatory standard for government website security

In this blog, I will discuss what security.txt entails, why it is mandatory for the government, what the advantages and disadvantages are, how it relates to the Baseline Information Security Government (BIO) and how we at Shift2 can unburden our customers so that this new standard can be met. Written by: Emiel Duinisveld (CISO)

What is security.txt?

Security.txt is a standardized text file that contains important security information about a Web site and is placed on the Web server. It provides a structured way to share information, such as vulnerability reporting policies and contact information for ethical hackers or cyber researchers.

Making this information public will simplify communication between the government and ethical hackers, allowing security problems to be addressed more effectively. 

Source: Digital Trust Center

Government obligation

The Dutch government has made security.txt mandatory for all government websites and has been added to Forum Standaardisatie's 'Apply or Explain' list as of May 25, 2023. This means that Dutch municipalities, provinces, state, water boards and all implementing organizations are required to apply this open standard. 

The purpose of this requirement is to promote transparency and collaboration, accelerate response time to vulnerability reports and ensure a consistent approach to security across government. 

Early this year, a measurement was done by "Internet.nl," which already added validation for security.txt in its domain test. This showed that only 20% of the government websites surveyed had security.txt. With the requirement, the Standardization Forum therefore wants to further increase usage.

The relationship to the Government Information Security Baseline (BIO).

The Government Information Security Baseline (BIO) is a reference framework developed by the Dutch government to improve the information security of government organizations. 

Among other things, the BIO requires you to have a procedure for receiving and handling vulnerability reports. By implementing security.txt, you comply with the BIO's guidelines regarding transparency in security policies, collaboration with external parties and risk management.

Advantages and disadvantages of security.txt

Mandatory implementation of security.txt offers several benefits to the government. First, it promotes transparency and cooperation with ethical hackers and cyber researchers. By providing clear guidelines and contact information, government agencies can be actively involved in reporting vulnerabilities, allowing for faster security improvements. In addition, security.txt provides a consistent approach to security within the government, making it easier for ethical hackers and cyber researchers to find the right contacts and pass on reports appropriately. 

While security.txt is a useful standard for improving Web site security, there are some potential drawbacks.

  • Security.txt requires manual input and maintenance of the information.
    Because of this, there is always a chance of human error, such as typos and outdated contact information. It is therefore advisable to check and update the file regularly to minimize these errors.
  • Disclosing contact information in security.txt can lead to an increased risk of phishing attacks.
    Attackers can misuse the contact information to pose as cyber researchers or government officials. It is important to create awareness around this risk and take appropriate measures, such as verifying the identity of the reporter before sharing sensitive information. 

While these disadvantages exist, they usually do not outweigh the benefits of implementing security.txt. By carefully managing the information in the text file and taking appropriate precautions, the potential drawbacks can be effectively mitigated.

Shift2 unburdens its clients

Over 100 government agencies now use our content management system 'SIMsite powered by Drupal'. We have conformed to the applicable open standards and guarantee a 100% score on internet.nl for our customers for whom we host the website. From now on our customers can easily create and publish security.txt themselves within SIMsite.

Overall conclusion 

Security.txt is an important step in the security of government websites. The requirement for use within government promotes transparency, collaboration and a consistent approach to security. It meets BIO guidelines and helps improve information security for government organizations. By implementing security.txt, government agencies can resolve vulnerabilities faster and increase citizen confidence. 

Let's work together to ensure that we are able to increase the adoption of this standard from just 20% to the next level!

Good news!

For all our customers, we have this functionality available by default in the Content Management System. Are you not yet a customer, but would like to know more about our websites and their security?

Then contact us