Being web developers, we are aware of all sorts of meta-data that is available on websites. Besides HTTP headers and <meta> tags, there are all sorts of places to look for information. There is Microdata (or RDFa and JSON-LD) for search engines, robot.txt files for web crawlers and Open Graph for social media.
在 Web开发人员中,我们知道网站上提供的各种元数据。 除了HTTP标头和<meta>标记外,还有各种各样的地方可以查找信息。 有用于搜索引擎的微数据(或RDFa和JSON-LD),用于网络robot.txt文件以及用于社交媒体的Open Graph。
But have you ever encountered a security.txt file?
但是,您是否遇到过security.txt文件?
Commonly known as Eduardo Vela, Eduardo A. Vela Nava (or sirdarckcat on Github and Twitter) has been a Security Engineer at Google since 2010. He currently has the role of Product Security Response Team Lead.
çommonly称为爱德华贝拉 , 爱德华A.贝拉纳瓦 (或sirdarckcat在Github上和微博 )一直是安全工程师谷歌在2010年以来,他目前拥有的产品安全响应团队领导的角色。
As other security experts before him, he pondered the issue of effectively communicating the details of a site’s vulnerability reward program to white hat hackers / pen-testers.
与他之前的其他安全专家一样,他考虑了与白帽黑客 / 笔测试者有效交流该站点漏洞奖励计划的详细信息的问题。
One such person, specifically, who also pondered this issue is Chema Alonso (also on Twitter).
具体地说,也考虑过此问题的一个人就是Chema Alonso (也在Twitter上 )。
He is well-known enough to warrant a Spanish Wikipedia entry.
他的知名度足以保证他可以进入西班牙维基百科 。
Between 2005 and 2011 Alonso was awarded the Microsoft Most Valuable Professional Award for Enterprise Security 6 years in a row. That should tell you something about his “skillz”. It is with him that this history starts…
在2005年至2011年之间,Alonso 连续6年被授予Microsoft企业安全性最有价值专家奖。 那应该告诉您有关他的“ 技能 ”的一些信息。 这段历史始于他……
On February 3rd 2011 Alonso wrote about his frustrations regarding the topic of communication between hackers and the administrators and/or developers of a site.
在2011年2月3日, Alonso谈到了他对黑客与网站的管理员和/或开发人员之间的交流话题感到沮丧的内容。
Alonso’s blog post about hackers.txt 阿隆索 关于hackers.txt的 博客文章He proposed a similar initiative as humans.txt but for hackers.
他提出了与 humans.txt 类似的倡议, 但针对的是黑客 。
He mentioned this hackers.txt initiative in his blog-post.
他在博客文章中提到了这个hackers.txt计划。
In April 2011 The humanstxt.org website got a new design which included the image which mentions the hackers.txt file.
2011年4月 ,humanstxt.org网站进行了新设计 ,其中包含提及hackers.txt文件的图片。
At this point, I must sadly submit to conjecture, but… consider:
在这一点上,我必须遗憾地屈服于推测,但是……请考虑:
The team behind humans.txt are all from Spain (mostly Barcelona)
humans.txt背后的团队全部来自西班牙(主要是巴塞罗那)
At this point, Alonso is already quite well known in the Spanish developer community 在这一点上,阿隆索在西班牙开发人员社区中已经相当知名Would it be such a far stretch to imagine that they got to know of each other’s efforts?
想象彼此了解彼此的努力会如此遥远吗?
On May 14th 2014 Vela, already working at Google, commented on a blog-post by Alonso. It is most likely that they had further contact in a professional setting. Whether or not they actively shared their ideas regarding anything related to hackers.txt is unknown.
2014年5月14日 ,已经在Google工作的Vela在Alonso的博客中发表了评论 。 他们很可能在专业环境中有进一步的联系。 他们是否积极分享与hackers.txt相关的hackers.txt还是未知的。
On July 6th 2017 Vela posted a question to this extent on twitter:
在2017年7月6日, Vela 在Twitter上发布了有关此程度的问题 :
Vela’s tweet regarding hackers.txt Vela 关于hackers.txt的 推文“How about we create a /hackers.txt that says whether something is in scope or not of a vulnerability reward program and where to report it?”
“我们如何创建一个/hackers.txt来说明漏洞奖励计划是否在范围之内,以及在何处报告?”
Subsequently, an empty git repository was created for hackerstxt.org on Github and an email thread was opened at Google Groups to discuss this idea further.
随后, 在Github上为hackerstxt.org创建了一个空的git存储库,并在Google网上论坛中打开了一个电子邮件线程,以进一步讨论该想法。
On August 13 2017 Edwin Foudil (or EdOverflow on Github and Twitter) created a git repository for security.txt on Github and responded to the mailing list:
在2017年8月13日 埃德温Foudil (或EdOverflow在Github上和推特 )创建一个Git仓库为security.txt 在Github上 ,并回答了邮件列表:
I have published a similar project to the one being discussed in this group (https://github.com/EdOverflow/security-txt) and would love to get some of your feedback and ideas.
我已经发布了一个与该小组中讨论的项目类似的项目( https://github.com/EdOverflow/security-txt ),希望获得您的一些反馈和想法。
The project is the equivalent of robots.txt, but for defining a security policy. Companies can add a security.txt to their website and define clear guidelines of what security researchers must do when they discover a security issue. security.txt also allows bug bounty programs to add their scope there. security.txt uses a similar syntax to robots.txt, which should make it easier for machines to parse.
该项目等效于robots.txt,但用于定义安全策略。 公司可以在其网站上添加security.txt并为安全研究人员发现安全问题时必须执行的操作定义明确的准则。 security.txt还允许漏洞赏金计划在此添加范围。 security.txt使用与robots.txt类似的语法,这应该使计算机更易于解析。
He was, in part, inspired by an open-source project he was working on at the time called GratiPay. GratiPay had a SECURITY.txt file since 2013.
在某种程度上,他受到了当时正在从事的名为GratiPay的开源项目的启发 。 GratiPay有一个 SECURITY.txt 文件自2013年起 。
His inspiration also drew from the SECURITY.md files that more and more open-source projects were adding to their repositories.
他的灵感还来自SECURITY.md文件,该文件将越来越多的开源项目添加到其存储库中。
Draft RFC for security.txt at IETF IETF上的security.txt的RFC草案On September 10th 2017 Foudil submitted the first draft for security.txt to the Internet Engineering Task Force.
2017年9月10日, Foudil向Internet工程任务组提交了security.txt 初稿 。
Foudil has stated:
Foudil表示:
After I published the first Internet draft, I actually met up in person at Google to chat about security.txt with Eduardo [Vela] . So he is a contributor to the project too.
在发布了第一个Internet草案之后,我实际上亲自在Google见了面,与Eduardo [Vela]聊了聊security.txt。 因此,他也是该项目的贡献者。
On September 14th 2017 Alonso wrote a blog post with the title (translated from Spanish) “Security.TXT an IETF draft for my Hackers.TXT”.
2017年9月14日,阿隆索(Alonso)发表了一篇博客文章 (标题为“ Security.TXT,这是我的Hackers.TXT的IETF草案”)(从西班牙语翻译)。
Beyond the title, Alonso does not allude to the fact that his 2011 idea was the origin of the draft but he does state his approval of the effort.
除了标题之外,阿隆索并未暗示他2011年的想法是该草案的由来,但他确实表示支持这项工作。
On February 3rd 2018 the mail group was informed to concede to security.txt and Vela tweeted that Google had already implemented one.
在2018年2月3日 ,邮件组被告知同意security.txt ,Vela在推特上说Google已经实施了一个 。
With the security.txt (and the standard that supports it) we can now help testers help us.
借助security.txt(及其支持的标准),我们现在可以帮助测试人员帮助我们。
Even though the RFC is still in draft, the standard is already being adopted quite well by major players on the web.
ËVEN尽管RFC仍处于草案,该标准已经被网络上的主要参与者采取相当不错。
Besides the security.txt at Google, other reputable companies are also including the file, such as:
除了Google的security.txt之外,其他知名公司还包括该文件,例如:
1password
1个密码
BBC
英国广播公司
bit.ly
一点点地
CERT NZ
新西兰CERT
DailyMotion
DailyMotion
Dropbox
投寄箱
脸书
Github
Github
Have I Been Pwned?
我已经被认领了吗?
NodeJs / NPM
NodeJs / NPM
Open SSL
开启SSL
Shopify
Shopify
(Feel free to add more from well-known sites in the comments)
(随时在评论中添加来自知名网站的更多内容)
Details and a nifty tool to generate your own security.txt can be found at https://securitytxt.org/
d etails和漂亮的生成自己的工具security.txt可以在这里找到https://securitytxt.org/
The https://securitytxt.org/ website https://securitytxt.org/网站Suggestions? Feedback? Feel free to comment here or find me on Twitter. Make sure to check out our careers page to discover tech jobs at Takeaway.com!
有什么建议吗? 反馈? 随时在这里发表评论或在Twitter上找到我 。 请务必查看我们的职业页面,以在Takeaway.com上找到技术职位!
Originally published as an answer to a question on StackOverflow.
最初作为 对StackOverflow问题的回答而 发布 。
翻译自: https://medium.com/takeaway-tech/the-history-of-the-hackerstxt-and-securitytxt-files-95c0a3be43a9
相关资源:微信小程序源码-合集6.rar