How to Security.txt

Last updated 8.23.24

How to Security.txt

The security.txt file is a standardized location for security researchers (bug bounty hunters) to find contact information for the security team and see various other security policies and info. This file is hosted at loopreturns.com/security.txt

How to create a security.txt

The security.txt file should be regenerated every 2 years at most, sooner if relevant information changes. The file is cryptographically signed so any modification to the file with require it to be re-signed with the security@loopreturns.com gpg key. The private key and passphrase can be found in 1Password in the security folder.

The current security.txt file is located in 1Password. If changes or updates are needed you can edit this file directly or visit https://securitytxt.org/ for a handy generator.

How to sign the security.txt file

In order for security researchers to ensure our security.txt file is genuine we will cryptographically sign the file after it is created. The private key and passphrase for security@loopreturns.com is located in 1Password, and the following steps are required to sign the file.

  1. Download a copy of the private key from 1Password
  2. Ensure you have gpg installed on your laptop. If needed you can install with Homebrew using the command brew install gpg
  3. Import the private key into you gpg keychain with the following command gpg --import loopsec.pgp . If you are prompted for the passphrase it can be found in 1Password
  4. Sign the security.txt you created with the command gpg --clear-sign --default-key security@loopreturns.com security.txt
  5. The signed file will likely be called security.txt.asc . Rename this file security.txt and delete the original. Note that at this point the file can not be modified without re-signing. Upload this version to 1Password and note the expiration date.

Adding updated security.txt loopreturns.com.

Contact Joel Rannabarger (or someone on his team) and ask to have the file uploaded. Remind them that the file cannot be modified or it will invalidate the signature.