Have you ever considered creating a Drupal security.txt file? The security.txt file is a standardized format meant to create a uniform approach for security vulnerability disclosure. The formatted text will generally include:
- One or more contact methods to reach your security analysts directly
- Date which the security.txt file should be considered expired
- Public encryption key for secure communication
- Direct links to your security policy and related security pages
https://securitytxt.org walks you through building a full security.txt file. However, the Security.txt Drupal module is the best option if you can’t or don’t want site administrators to access raw server files.
Configure the Drupal Security.txt Module
- Visit https://www.drupal.org/project/securitytxt.
- Log into Drupal and install the security module using the tar download link for your Drupal version.
- Click “Enable newly added modules.”
- Under “Security,” check the box for “Security.txt.”
- At the bottom, select “Install.”
- From the main navigation menu, select “People.”
- Select the “Permissions” tab.
- Give “View security.txt” permissions to anonymous and authenticated users.
- At the bottom, select “Save permissions.”
- Select “Configuration” from the navigation bar.
- Under “System,” select “Security.txt.”
- At the top, select “Enable the security.txt file for your site.”
- You can add up to three contact methods. The first is an email address. Be cautious as this email address can easily be seen by anyone, including cyber attackers. If you add an email address, consider using one dedicated to receiving security reports (e.g. [email protected]) with a strong spam filter.
- You can add a phone number. Remember, this data can easily be parsed. Consider using a proxy service such as Google Voice or Signal (and ensure it doesn’t reveal your real number).
- The third and simplest option is to add a contact form URL. The contact form should have a CAPTCHA function and data input validation/sterilization features to mitigate spam and malware.
- You can add your public key URL if you’ve created a GPG Key for integrity.
- If you have a page explaining your security policy, add the security policy URL.
- If you want to show thanks and offer backlinks for people who’ve helped you resolve security issues, create a page listing them and add it here as the acknowledgements page URL.
- At the bottom, select “Save configuration.”
You can view the Drupal security.txt file at yourdomain.com/.well-known/security.txt. Your signature URL will be /.well-known/security.txt.sig.