security.txt mandatory for Dutch government


As of May 25, 2023, security.txt has been added to the 'Comply or Explain' list of the Netherlands Standardisation Forum. This means that Dutch municipalities, provinces, the state, water boards and all operational organisations are obliged to apply this open standard.

Dit is een Engelstalig nieuwsbricht. Er is ook een Nederlandstalige versie.

Why security.txt?

The standard describes a text file called security.txt in which you can publish contact information on your web server. Security researchers and ethical hackers can use this information to contact the right department or person directly if they find a vulnerability. This can speed up the remediation of vulnerabilities, which gives cybercriminals less opportunity to exploit them.

The requirement is consistent with the Government Information Security Baseline (BIO), which requires government organisations to have a procedure for receiving and handling vulnerability reports. A so-called Coordinated Vulnerability Disclosure (CVD) procedure. Security.txt guides ethical hackers directly to the appropriate entry point for this procedure.

Usage by government

In early 2023, a measurement was done with the test tool. It showed that nearly 20% of the government websites measured had security.txt in place. With the new mandate, the Netherlands Standardisation Forum wants to further increase usage. "The more websites implement this, the better we can make use of the good work of ethical hackers. The government sets a good example in this," says Theo Peters (CTO at the Realisation organisation of the Association of Netherlands Municipalities (VNG), and member of the Netherlands Standardisation Forum).

The measurement also showed that several central government organisations already refer to the NCSC-NL's central security.txt file. The Netherlands Standardisation Forum calls on all central government organizations that want to make use of the CVD policy of the central government to do the same. NCSC-NL has published a guide on security.txt with explanation for this purpose.

Usage by business

In October 2022, the Digital Trust Center (DTC) and a large number of ambassadors made a call for companies and IT service providers to use security.txt. Since that call, the number of Dutch domain names equipped with security.txt has grown to over 88,000.

The DTC uses security.txt to provide faster warning (notification) to the Dutch businesses in the event of a serious cyber threat and welcomes the requirement for governments. "Hopefully the recognition by the Netherlands Standardisation Forum will help to further increase the acceptance of this simple measure that contributes to a digitally safer business sector," says Project Leader Notification Service Kim van der Veen.