Whereby’s security.txt entry: Vulnerability reporting and RFC 9116

When it comes to reporting security vulnerabilities it can be difficult for security researchers to identify the Vulnerability Disclosure Policy and find the right contact address. 

And it’s understandable why. Each website is different in its structure and style which can lead to confusion for some on how to find the necessary information. 

After releasing our Vulnerability Disclosure Policy one year ago, we received reports and realized we needed to support these researchers even more. At times it may be unclear what is expected of these reports and where they should be sent.

There is a standardized way to do this and in the light of RFC 9116 A File Format to Aid in Security Vulnerability Disclosure, Whereby now has a security.txt entry, making it much easier for researchers to find the right information. A PGP key is also readily available for encryption of communication should there be a desire to add an extra measure of protection to the reported issue. 

Having appropriate ways to report vulnerabilities and managing those vulnerabilities is key to maintaining Whereby’s security posture as well as complying with industry standards such as the ISO27001 certification.

As a low-TCO (total cost of ownership) offering, we will handle security vulnerabilities in our platform so that our customers don’t have to. However, it’s still up to our customers to handle vulnerabilities in their own platform.

If you are one of our current or future Whereby Embedded customers, have you considered how vulnerabilities should be reported in your platforms? If so, can researchers find that guidance easily? An easy way to do this is to create a security.txt entry, which is a recommended industry best practice. You can easily create it using the author's website.

Create your security.txt file and make it easier for researchers to report vulnerabilities in your product!