securitytxt

Identify and Parse Web Security Policies Files

Description

When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to properly disclose them. As a result, security issues may be left unreported. The ‘security.txt’ ‘Web Security Policies’ specification defines an ‘IETF’ draft standard https://tools.ietf.org/html/draft-foudil-securitytxt-00 to help organizations define the process for security researchers to securely disclose security vulnerabilities. Tools are provided to help identify and parse ‘security.txt’ files to enable analysis of the usage and adoption of these policies.

What’s Inside The Tin

The following functions are implemented:

sectxt_info: Retrieve a data frame of security.txt keys/values
sectxt_url: Determine security.txt URL for a given site/URL
sectxt_validate: Validate a security.txt Web Security Policies file
sectxt: Parse a security.txt Web Security Policies file & create a sectxt object

Installation

install.packages("securitytxt", repos = "https://cinc.rud.is")
# or
remotes::install_git("https://git.rud.is/hrbrmstr/securitytxt.git")
# or
remotes::install_git("https://git.sr.ht/~hrbrmstr/securitytxt")
# or
remotes::install_gitlab("hrbrmstr/securitytxt")
# or
remotes::install_bitbucket("hrbrmstr/securitytxt")
# or
remotes::install_github("hrbrmstr/securitytxt")

NOTE: To use the ‘remotes’ install options you will need to have the {remotes} package installed.

Usage

library(securitytxt)

# current verison
packageVersion("securitytxt")
## [1] '0.1.0'

# built-in example
x <- sectxt(readLines(system.file("extdata", "security.txt", package="securitytxt")))
sectxt_info(x)

key	value
contact	security@example.com
encryption	https://example.com/pgp-key.txt

# "live" example
(xurl <- sectxt_url("https://securitytxt.org"))
## [1] "https://securitytxt.org/.well-known/security.txt"
x <- sectxt(url(xurl))
sectxt_info(x)

key	value
contact	https://hackerone.com/ed
encryption	https://keybase.pub/edoverflow/pgp_key.asc
acknowledgements	https://hackerone.com/ed/thanks

sectxt_validate(x)
## [1] FALSE
x
## <Web Security Policies Object>
## # If you would like to report a security issue
## # you may report it to us on HackerOne.
## Contact: https://hackerone.com/ed
## Encryption: https://keybase.pub/edoverflow/pgp_key.asc
## Acknowledgements: https://hackerone.com/ed/thanks

# another "live" example
(xurl <- sectxt_url("https://rud.is/b"))
## [1] "https://rud.is/.well-known/security.txt"
x <- sectxt(url(xurl))
sectxt_info(x)

key	value
contact	bob@rud.is
encryption	https://keybase.io/hrbrmstr/pgp_keys.asc?fingerprint=e5388172b81c210906f5e5605879179645de9399
disclosure	Full

sectxt_validate(x)
## [1] TRUE
x
## <Web Security Policies Object>
## Contact: bob@rud.is
## Encryption: https://keybase.io/hrbrmstr/pgp_keys.asc?fingerprint=e5388172b81c210906f5e5605879179645de9399
## Disclosure: Full

Code of Conduct

Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.

Name		Name	Last commit message	Last commit date
Latest commit History 8 Commits
R		R
inst		inst
man		man
src		src
tests		tests
.Rbuildignore		.Rbuildignore
.codecov.yml		.codecov.yml
.gitignore		.gitignore
.travis.yml		.travis.yml
CONDUCT.md		CONDUCT.md
DESCRIPTION		DESCRIPTION
LICENSE		LICENSE
NAMESPACE		NAMESPACE
NEWS.md		NEWS.md
README.Rmd		README.Rmd
README.md		README.md
appveyor.yml		appveyor.yml
cran-comments.md		cran-comments.md
securitytxt.Rproj		securitytxt.Rproj

License

hrbrmstr/securitytxt

Folders and files

Latest commit

History

Repository files navigation

securitytxt

Description

What’s Inside The Tin

Installation

Usage

Code of Conduct

About

Topics

Resources

License

Stars

Watchers

Forks

Languages