Security.txt: a mandatory standard for the security of government websites

In this blog, I will discuss what security.txt entails, why it is mandatory for the government, what the advantages and disadvantages are, how it relates to the Baseline Information Security Government (BIO), and how we at Shift2 can help our customers comply with this new standard. Written by: Emiel Duinisveld (CISO)

What is security.txt?

Security.txt is a standardized text file that contains important security information about a website and is placed on the web server. It provides a structured way to share information, such as vulnerability reporting policies and contact details for ethical hackers or cyber researchers.

By making this information public, communication between the government and ethical hackers is simplified, allowing security issues to be addressed more effectively. 

Source: Digital Trust Center 

Obligation for the government

The Dutch government has made security.txt mandatory for all government websites and added it to the 'Apply or explain' list of Forum Standaardisatie (Standardization Forum) as of May 25, 2023. This means that Dutch municipalities, provinces, the national government, water boards, and all implementing organizations are required to apply this open standard. 

The purpose of this obligation is to promote transparency and cooperation, speed up response times to vulnerability reports, and ensure a consistent approach to security within the government. 

At the beginning of this year, a survey was conducted by Internet.nl, which has already added validation for security.txt to its domain test. The survey revealed that only 20% of the government websites examined have a security.txt file. With this requirement, the Standardization Forum aims to further increase its use.

The relationship to the Baseline Information Security Government (BIO)

The Baseline Information Security Government (BIO) is a reference framework developed by the Dutch government to improve information security in government organizations. 

The BIO requires, among other things, that you have a procedure in place for receiving and handling vulnerability reports. By implementing security.txt, you comply with the BIO guidelines regarding transparency in security policy, cooperation with external parties, and risk management.

Advantages and disadvantages of security.txt

The mandatory implementation of security.txt offers several advantages for the government. First of all, it promotes transparency and cooperation with ethical hackers and cyber researchers. By providing clear guidelines and contact information, government agencies can be actively involved in reporting vulnerabilities, allowing security to be improved more quickly. In addition, security.txt ensures a consistent approach to security within the government, making it easier for ethical hackers and cyber researchers to find the right contacts and report issues in the correct manner. 

Although security.txt is a useful standard for improving website security, there are also some potential drawbacks.

  • Security.txt requires manual entry and maintenance of the information.
    This means there is always a risk of human error, such as typos and outdated contact information. It is therefore advisable to check and update the file regularly to minimize these errors.
  • Publishing contact information in security.txt can lead to an increased risk of phishing attacks.
    Attackers can misuse the contact details to impersonate cyber investigators or government officials. It is important to raise awareness of this risk and take the necessary measures, such as verifying the identity of the reporter before sharing sensitive information. 

Although these disadvantages exist, they usually do not outweigh the advantages of implementing security.txt. By carefully managing the information in the text file and taking the necessary precautions, the potential disadvantages can be effectively mitigated.

Shift2 takes care of its customers

More than 100 government agencies now use our content management system 'SIMsite powered by Drupal'. We comply with the applicable open standards and guarantee a 100% score on internet.nl for our customers whose websites we host. From now on, our customers can easily create and publish security.txt files themselves within SIMsite.

Overall conclusion 

Security.txt is an important step in securing government websites. The obligation to use it within the government promotes transparency, cooperation, and a consistent approach to security. It complies with BIO guidelines and contributes to improving the information security of government organizations. By implementing security.txt, government agencies can resolve vulnerabilities more quickly and increase public confidence. 

Let's work together to ensure that we raise the adoption of this standard from just 20% to a higher level!

Good news!

This functionality is available as standard in the Content Management System for all our customers. Not yet a customer, but would you like to know more about our websites and their security?

Please contact us

Recent articles

Read our blogs and news items here
Read more

Want to be the first to know the latest news? 
 

Sign up for the newsletter