After 5 years of work, security.txt is officially an RFC. I am pleased to announce RFC 9116: I would like to use this opportunity to thank those who made this possible. Thank you. ❤️

RT @swisscyberstorm: The Swiss Federal Government has adopted a report on ethical hacking referencing two @swisscyberstorm 2023 speakers: @….

Join millions who have switched to Grok.

I will be giving a talk on Coordinated Vulnerability Disclosure (CVD) at Swiss Cyber Storm. If you are interested in attending, please find additional information below.

I have set up a LinkedIn profile if people want to stay connected:

RT @securitytxt: Where did you first hear about security.txt?.

RT @securitytxt: How do you pronounce "security.txt"?.

I am working on something fun with @KarimPwnz to address the challenge of repetitive security questionnaires: @BlueMagnetIO (.

RT @securitytxt: Exciting news! @Apple joins the list of companies with a security.txt file. Now, we only need @netflix to complete the FAA….

I have been playing around with SvelteKit a lot recently. I wrote a short blog post on adding security headers to SvelteKit applications: I might do a more long-form one on the security pitfalls of SvelteKit applications at some point.

Reminder: if you would like to follow my blog via RSS, I have a feed at :).

With references to @hacker_ and @fin1te. Thank you to @KarimPwnz for reviewing a draft.

I have published a new blog post on my bug bounty methodology: "Learn to build it, then break it" —

Nice blog post by @KarimPwnz on the security implications of command injection in GitHub Actions.

Retweeting this because I know BSides London tickets are hard to come by. :).

Also, shout-out to @internet_nl & @mxsash for their work integrating security.txt checks in

It was a pleasure presenting with @jschreuder and @DTC_NL at @OneConferenceNL. The work they are doing to promote security.txt in the Netherlands is amazing. You can read more about their work here:

RT @troyhunt: I love that the Dutch government is actively promoting security.txt and encouraging companies to establish a route for report….

RT @internet_nl: Where can ethical hackers report vulnerabilities at your organization? Publish a security.txt file and test it with Intern….

And here are some photos from the trip. Thank you, @spaceraccoonsec, for being an excellent tour guide. :)

Thank you, @fbsecurity, for organising another fantastic event. I thoroughly enjoyed BountyCon and exploring Singapore. Team BBAC members (@xdavidhu, @_zulln, @ElSec_, @spaceraccoonsec, @rub003, @EdOverflow) managed to find valid vulnerabilities with @rub003 finishing #3 overall.

This looks like a fun chain by @fransrosen. If readers are interested in rapidly checking CSP hosts, I wrote a tool for grabbing them concurrently: