The security.txt file is a standardized location for security researchers (bug bounty hunters) to find contact information for the security team and see various other security policies and info. This file is hosted at loopreturns.com/security.txt
The security.txt file should be regenerated every 2 years at most, sooner if relevant information changes. The file is cryptographically signed so any modification to the file with require it to be re-signed with the security@loopreturns.com gpg key. The private key and passphrase can be found in 1Password in the security folder.
The current security.txt file is located in 1Password. If changes or updates are needed you can edit this file directly or visit https://securitytxt.org/ for a handy generator.
In order for security researchers to ensure our security.txt file is genuine we will cryptographically sign the file after it is created. The private key and passphrase for security@loopreturns.com is located in 1Password, and the following steps are required to sign the file.
brew install gpg
gpg --import loopsec.pgp
. If you are prompted for the passphrase it can be found in 1Passwordgpg --clear-sign --default-key security@loopreturns.com security.txt
security.txt.asc
. Rename this file security.txt
and delete the original. Note that at this point the file can not be modified without re-signing. Upload this version to 1Password and note the expiration date.Contact Joel Rannabarger (or someone on his team) and ask to have the file uploaded. Remind them that the file cannot be modified or it will invalidate the signature.
In this article