security.txt (RFC 9116)

In 2017, I published an Internet Draft titled “A File Format to Aid in Security Vulnerability Disclosure (security.txt)” for a proposed Internet standard which allows websites to define security policies. The Internet Draft was subsequently adopted by the IETF and was published as RFC 9116 in April 2022.

security.txt files have been implemented by Google, Facebook, GitHub, the UK government, and many other organisations. In addition, the UK’s Ministry of Justice, the Cybersecurity and Infrastructure Security Agency (US), the French government, the Italian government, and the Australian Cyber Security Centre endorse the use of security.txt files.

Google’s security.txt file

Bug Bounty Guide

In 2018, I created Bug Bounty Guide, a launchpad for bug bounty programmes and bug bounty hunters. While some of my opinions and advice expressed in the chapters may have changed since its date of publication, I still actively encourage people to have a read through.

“Can I take over XYZ?” — a list of services and how to claim (sub)domains with dangling DNS records

“Can I take over XYZ?” is a community-maintained GitHub repository for tracking services enabling subdomain takeovers by not requiring verification of domain ownership. This project aids both bug bounty hunters and bug bounty programme owners in determining whether a particular service is vulnerable to (sub)domain takeovers.

As Michael Skelton put it, the repository has mostly evolved into a discussion board where the issue tickets allow for more open discussion surrounding the nuances of performing (sub)domain takeovers against particular services.

The project has been used as a reference in academic publications such as “Can I Take Your Subdomain? Exploring Same-Site Attacks in the Modern Web” (Squarcina et al., 2021) and “Generative adversarial networks for subdomain enumeration” (Degani et al., 2022).



The following section details some of my contributions to open-source and third-party projects.

(F)OSS contributions

 	} else {
 		if ($0 ~ /^-/) {
 			print red $0 reset
-		} else if ($0 ~ /^+/) {
+		} else if ($0 ~ /^\+/) {
 			print green $0 reset
 		} else if ($0 ~ /^ /) {
 			print $0

General contributions