Project Status: Active – The project has reached a stable, usable state and is being actively developed. Signed by Signed commit %Linux build Status Windows build status Coverage Status cran checks CRAN status Minimal R VersionLicense

Identify and Parse Web Security Policies Files

Description

When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to properly disclose them. As a result, security issues may be left unreported. The ‘security.txt’ ‘Web Security Policies’ specification defines an ‘IETF’ draft standard https://tools.ietf.org/html/draft-foudil-securitytxt-00 to help organizations define the process for security researchers to securely disclose security vulnerabilities. Tools are provided to help identify and parse ‘security.txt’ files to enable analysis of the usage and adoption of these policies.

What’s Inside The Tin

The following functions are implemented:

  • sectxt_info: Retrieve a data frame of security.txt keys/values
  • sectxt: Parse a security.txt Web Security Policies file & create a sectxt object
  • sectxt_url: Determine security.txt URL for a given site/URL
  • sectxt_validate: Validate a security.txt Web Security Policies file

Installation

install.packages("securitytxt", repos = "https://cinc.rud.is")
# or
remotes::install_git("https://git.rud.is/hrbrmstr/securitytxt.git")
# or
remotes::install_git("https://git.sr.ht/~hrbrmstr/securitytxt")
# or
remotes::install_gitlab("hrbrmstr/securitytxt")
# or
remotes::install_bitbucket("hrbrmstr/securitytxt")
# or
remotes::install_github("hrbrmstr/securitytxt")

NOTE: To use the ‘remotes’ install options you will need to have the {remotes} package installed.

Usage

library(securitytxt)

# current verison
packageVersion("securitytxt")
## [1] '0.1.1'

# built-in example
x <- sectxt(readLines(system.file("extdata", "security.txt", package="securitytxt")))
sectxt_info(x)
##          key                           value
## 1    contact            security@example.com
## 2 encryption https://example.com/pgp-key.txt

# "live" example
(xurl <- sectxt_url("https://securitytxt.org"))
## [1] "https://securitytxt.org/.well-known/security.txt"
x <- sectxt(url(xurl))
sectxt_info(x)
##                key                                      value
## 1          contact                   https://hackerone.com/ed
## 2       encryption https://keybase.pub/edoverflow/pgp_key.asc
## 3 acknowledgements            https://hackerone.com/ed/thanks
sectxt_validate(x)
## [1] FALSE
x
## <Web Security Policies Object>
## # If you would like to report a security issue
## # you may report it to us on HackerOne.
## Contact: https://hackerone.com/ed
## Encryption: https://keybase.pub/edoverflow/pgp_key.asc
## Acknowledgements: https://hackerone.com/ed/thanks

# another "live" example
(xurl <- sectxt_url("https://rud.is/b"))
## [1] "https://rud.is/.well-known/security.txt"
x <- sectxt(url(xurl))
sectxt_info(x)
##          key                                                                                         value
## 1    contact                                                                                    bob@rud.is
## 2 encryption https://keybase.io/hrbrmstr/pgp_keys.asc?fingerprint=e5388172b81c210906f5e5605879179645de9399
## 3 disclosure                                                                                          Full
sectxt_validate(x)
## [1] TRUE
x
## <Web Security Policies Object>
## Contact: bob@rud.is
## Encryption: https://keybase.io/hrbrmstr/pgp_keys.asc?fingerprint=e5388172b81c210906f5e5605879179645de9399
## Disclosure: Full

Code of Conduct

Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.