Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the use of the hackers.txt file?

People also ask

Do hackers use .txt files?

txt can give precious details to hackers, when it comes to attacks, because robots. txt as the capability to tell search engines which directories can and cannot be crawled on a web server.

What can hackers do with robots txt?

Robots. txt files tell search engines which directories on a web server they can and cannot read. Weksteen, a former Securus Global hacker, thinks they offer clues about where system administrators store sensitive assets because the mention of a directory in a robots.

What is a security TXT file for?

txt is a proposed standard for websites' security information that is meant to allow security researchers to easily report security vulnerabilities. The standard prescribes a text file called "security. txt" in the well known location, similar in syntax to robots.

Are TXT files secure?

Files with the TXT extension are typically considered safe. Are they, though? Employees who receive external e-mails typically receive information about which files are potentially dangerous. For example, EXE files are considered unsafe by default, as are DOCX and XLSX files, which can contain malicious macros.


The way I see things:

  • robots.txt contains information and instructions for robots (so it should be read/used by web crawlers, spiders and other kind of bots)
  • humans.txt contains useful information to be consumed by humans, according to http://humanstxt.org/
  • hackers.txt should be targeted towards hackers, so it should contain any information the site owner might want to transmit to a hacker, as Ze'ev pointed out. I don't think this should be a place for hackers to write anything, but rather to get information from the site owner (perhaps on how to report vulnerabilities, as others suggested).

Commonly known as Eduardo Vela, Eduardo A. Vela Nava (or sirdarckcat on Github and Twitter) has been a Security Engineer at Google since 2010. (He currently has the role of Product Security Response Team Lead).

As other security experts before him, he pondered the issue of effectively communicating the details of a site's vulnerability reward program to white hat hackers/pen-testers.

One specific such person is Chema Alonso (also on Twitter).

He is well-known enough to warrant a Spanish Wikipedia entry

Between 2005 and 2011 Alonso was awarded the Microsoft Most Valuable Professional Award for Enterprise Security 6 years in a row. That should tell you something about his "skillz".


On February 3rd 2011 Alonso wrote about his frustrations regarding the topic of communication between the administrators and/or developers of a site and hackers.

Screenshot of Alonso's hackers.txt blog-post

He proposes a similar initiative as humans.txt but for hackers. As he mentions this hackers.txt initiative in his blog-post.


In April 2011 The humanstxt.org website got a new design which includes the image which mentions the hackers.txt file.

At this point, I must sadly submit to conjecture, but... consider:

  • The team behind humans.txt are all from Spain (mostly Barcelona)
  • At this point Alonso is already quite well known in the Spanish developer community

Would it be such a far stretch to imagine that they got to know of each other's efforts?


On May 14th 2014 Vela, already working at Google, commented on a blog-post by Alonso. It is most likely that they had further contact in a professional setting. Whether or not thay extively shared their idea's regarding anything related to hackers.txt is unknown.


On July 6th 2017 Vela posted a question to this extent on twitter:

Screenshot of the Twitter post by Eduardo Vela

How about we create a /hackers.txt that says whether something is in scope or not of a vulnerability reward program and where to report it?

Subsequently, an empty git repository was created for hackerstxt.org on github and an email thread was opened at Google Groups to discuss this idea further.


On August 13 2017, Edwin Foudil (or EdOverflow on Github and Twitter) created a git repository for security.txt on Github and responded to the mailing list:

I have published a similar project to the one being discussed in this group (https://github.com/EdOverflow/security-txt) and would love to get some of your feedback and ideas.

The project is the equivalent of robots.txt, but for defining a security policy. Companies can add a security.txt to their website and define clear guidelines of what security researchers must do when they discover a security issue. security.txt also allows bug bounty programs to add their scope there. security.txt uses a similar syntax to robots.txt, which should make it easier for machines to parse.

He was, in part, inspired by an open-source project he was working on at the time called GratiPay. GratiPay had a SECURITY.txt file since 2013.

His inspiration also drew from the SECURITY.md files that more and more open-source projects were adding to their repositories.


On September 10th 2017, Foudil submitted a first draft for security.txt to the Internet Engineering Task Force.

enter image description here


On September 14th 2017 Alonso wrote a blog post with the title (translated from Spanish) "Security.TXT an IETF draft for my Hackers.TXT".

Beyond the title, Alonso does not allude to the fact that his 2011 idea was the origin of the draft but he does state his approval of the effort.


On February 3rd 2018, the mail group was informed to concede to security.txt and Vela tweeted that Google had already implemented one.


Further information

Details and a nifty tool to generate your own security.txt can be found at https://securitytxt.org/

Screenshot of the securitytxt.org website

Adoptation

Even though the RFC is still in draft, the standard is already being adopted quite well by major players on the web.

Besides the security.txt at Google, there is also one on the website of:

  • 1password
  • BBC
  • bit.ly - http://bit.ly/security.txt (can't be linked because StackOverflow blacklist the use of common link shorteners in posts)
  • CERT NZ
  • DailyMotion
  • Dropbox
  • Facebook
  • Github
  • haveibeenpwned
  • NodeJs
  • NPM
  • Open SSL
  • Shopify

(Feel free to add more from well-known sites, if you find 'm)


As with humans.txt, there also seems to be a hackers.txt site at http://www.hackerstxt.org/. I'm not sure if someone has set the site up as a joke or not, but it links to a blog post on someone's Blogger site.

The post rambles on a bit (I put it through Google Translate) about the poster's history as a 'hacker'. Anyway, towards the end the writer says:

therefore believe we should promote an initiative type hackers.txt , in which managers leave us a message to potential "aliens who are good" that makes it clear they will do managers receive a report of a vulnerability in your site. I've been circling this , the truth is that it is difficult to finish shaping, because perhaps some "alien who is not so good" , type Brainiac , take a free hand to brush a site, or the "good board administrator" , decide to change your mind and Liem, but I think we should be able to do something, I dunno, maybe having Jon Jonz , or perhaps thinking about how to write that file hackers.txt . How do you see it? Greetings Evil!

So I assume that the poster wants to start a sort of hackers.txt standard in the vein of humans.txt, but hasn't finished it off, or hasn't gotten it into the English speaking world.

Digging around, the Blogger site seems to be owned by a guy called Chema Alonso, who must be fairly reputable in the world of Spanish programmers as he has about 35k Twitter followers (https://twitter.com/chemaalonso). He seems to work for a company called ElevenPaths (http://elevenpaths.com/), which says that it's driving "radical innovation in security product development". A quick Whois check shows that the hackerstxt.org domain is registered by someone in Madrid, so I would assume it's Alonso.

The .txt file over at http://www.textfiles.com/news/hackers.txt, which has been refered to by some of the other answers in this thread, doesn't seem to have anything to do with the hackers.txt reference over at http://humanstxt.org/, and neither do most other search results for 'hackers.txt'.


It's possibly a joke, but If humans.txt is for humans to read then maybe hackers.txt is a warning for hackers.

Like the notice you get when you SSH into some more public terminals. "You are being watched... we will get you if you do anything bad..." That sort of thing.

If a hacker did compromise the site, the might notice the file, read it, realise you mean business and be scared away!

Interesting idea.