Putting a security.txt file up on our site has generated a ton of noise from people sending us their interpretations of burp suite results. Nothing substantial, yet everyone wants a payout and sends follow up after follow up. Feels like the Hacktoberfest Github thing. If you have a real security issue that someone cares enough to disclose to you, they'll find a way to contact you.
Thanks. Someone had done a scan for security.txt files before but were unable to scan the entire Alexa Top 1 million websites. Only the top 1,000. I checked the top 1 million from a 1.5Mbit residential DSL line using Go routines.
The blog post has more details and a short overview of the results. It's linked at the bottom of the repo. I was hoping to get feedback on the code.
Definitely felt like wishful thinking whenever I heard that security.txt was a thing.
From the blog post-
> Of the 666,771 most popular websites on the Alexa list, I found 2,884 security.txt files that were content-type “text/plain” and returned a HTTP 200 status code. Not all of these were valid security.txt files, but most were.
Yes, it's not as widely implemented as I expected. Adoption seems to drop quickly. Roughly 20% for the top 10 websites, 15% for the top 100 and about 10% for the top 1,000. It's downhill from there.
An aside, but it would be nice if the tech industry could move beyond three-character extensions. There's zero reason this couldn't be security.text.
It's been at least 35 years since I first saw a non-three-character file name extension (Amiga 1000), there are probably older examples. Computers are supposed to work for people, not the other way around.
.txt is an ancient and extremely well-established extension, and so will not cause any trouble anywhere—it’ll be mapped to text/plain in all standard servers, out of the box.
.text is not a common extension. Some things know that it’s text/plain (my Arch Linux /etc/mime.types and /etc/nginx/mime.types both do), but I expect some common server software won’t handle it properly out of the box (haven’t checked beyond nginx’s mime.types), and common OSes won’t have a handler for .text files set up (Windows, for example, comes with .text set to PerceivedType text like .txt has, so that it’ll suggest the right sort of apps to open it, but it’s still not hooked up to any app by default, unlike .txt which is “Text Document”).
.json is roughly the same as .txt - an abbreviated version of "JavaScript Object Notation". We humans still have to do the translation to the final name.
And, I've never seen ".jsn". I've seen ".json" hundreds of thousands of times, but never ".jsn".
>Computers should work for us. We shouldn't work for computers.
Dump .txt for .text.
If my computer expects me to type an extra letter every time I name a file it isn't working for me. The short extensions make for more efficient typing.
This is the first time I've heard of a jsn file. In my experience as a developer, they're always named with the full four letters. Also I really don't understand your statement about computers working for us, they're perfectly happy to interpret an extension anyway you set it up in the vast majority of file association systems of any modern day OS.
I don't know why you're getting hung up on TXT in particular, that extension has been around for so long that virtually everyone who has even a passing knowledge of computers knows what it stands for.
Also for CLI purposes, I'd sure as hell rather type "ls .bmp" than "ls .bitmap".
.JavaScriptObjectNotation would be terrible, because of its verbosity and because people call the language JSON: so .json is good.
.xpi is a rather poor example: no one talks about XPInstall (and the majority of its surface area is now even obsolete), so .xpi is to most people completely meaningless unless they have encountered it before and know what it is. .firefox-extension would be a vast improvement over .xpi, because it says what it actually is.
There actually was a short period where Windows 95 was new and had just introduced long filenames with long extensions to former DOS users. Then, for a short time, stuff like .SomeSoftwaresDocument was actually popular.
Well to be fare, file extensions are more of a Unix/PC thing. In the old day, MacOS Pre-OSX extension doesn't matter, extra info about a file are stored in another meta file.
Extension are only made for backward/universal compatibility file compatibility on different platform. However I do agree with the parent post, computer ought to work for us, not the other way around. Then again changing convention is harder than just type 3 letter extension.
> Extensions are not for average computer users. They have icons and filenames. Windows also hides extensions by default.
As far as I recall, extensions became a thing with DOS. They actually had meaning to the OS, e.g. naming a file .exe would make it executable, as there was no other concept of file ownership or permissions.
In Unix/Linux systems, filename extensions have always been for the user. Before GUIs and icons, they were a convention that let the user know something about the file contents. As far as the operating system is concerned, "." is just another character in the name and extensions are meaningless. Note that most binary executables don't have an extension at all, and other files have more than one (e.g. .tar.gz)
PDP-10 was an architecture, and there were many operating systems running on them. You may be thinking of TOPS-20, which indeed used filename.ext, where the extension was limited to 3 characters.
There was also ITS, which was one of the famous operating systems on the PDP-10. On ITS, filenames consisted of two parts, rach being 6 characters separated with a space. So you could have a file named "abc def". The second half was often used in the same way we use extensions today, but executable files were named "ts name", where name was the name of the command.
I'm not sure what format filenames had on TENEX and TOPS-10.
Why? Is there a single person in Universe that would ever be looking at these files and not know that txt is short for text?
Perhaps in some other cases it makes sense, and perhaps we don't even need extensions at all for many files, they can be misleading (not to mention that what 'text' means is just another convention). Microsoft even hides extensions from average users.
But the common extensions that we all know by heart, why change, what's the gain?
Please, lets not make computing any more cavemanlike than it already it. Is a world of obnoxious push-button apps with zero options or customizability not enough for you? Learn to love the contours of what you got and it will serve you even better!
