With the rise of cyber-criminal rings like Magecart, security is becoming an increasingly relevant topic within the ecommerce space. In this post we’ll explore an emerging specification, security.txt, and explore its relevance within the Magento ecosystem.
What Is It?
The usage of security.txt can be read about on the project’s homepage.
In a nutshell, websites publish a file named security.txt, in the .well-known/ folder. Here is an example of a published security.txt file, https://github.com/.well-known/security.txt. The file provides information on how security issues should be reported to the owner of website in question.
Why Is This Relevant?
As reported by Dutch security researcher, Willem de Groot, Magento extension are now the top cause of Magento breaches. “Internet Bad Guys” are proactively scouring the source code of Magento extensions looking for vulnerabilities and using them to compromise Magento sites. As such, it’s more important than ever for Magento extension providers to facilitate responsible disclosure of security vulnerabilities identified by responsible security researchers.
What Is Something Digital Doing About This?
I’m happy to announce that Something Digital now publishes a security.txt file:
If you discover a security vulnerability in any of our open-source modules, our website, or on the any of our client’s websites please report it to us responsibly as we’ve documented in our security.txt file.
Written by: Max Chadwick, Technical Lead