on 04-May-202212:08 - edited on 13-Jan-202316:01 by JRahm
One week ago, on 27. April 2022, the IETF has published RFC 9116 describing the security.txt file. The purpose of this file is to aid in responsible disclosure, a process that allows security researchers to safely report vulnerabilities.
The file should be either placed in the document root or in the /.well-known folder of a webserver and it should contain information on the site owners vulnerability disclosure process. Further details about formatting and the mandatory and optional information can be found here: https://www.rfc-editor.org/rfc/rfc9116
Without automation - adding this text file to every webserver can be time consuming, even in small environments. The below iRule can be used to serve the file from the BIG-IP.
Note: The RFC mentions the process of PGP signing the security.txt file. I guess this can be done with iRulesLX, however - I didn't have time yet to figure out the details about if and how it can be done. If anyone is faster or more knowledgeable than me with iRulesLX - the stage is yours.