security.txt (RFC 9116)

In 2017, I published an Internet Draft titled “A File Format to Aid in Security Vulnerability Disclosure (security.txt)” for a proposed Internet standard which allows websites to define security policies. The Internet Draft was subsequently adopted by the IETF and was published as RFC 9116 in April 2022.

Can I take over XYZ?

“Can I take over XYZ?” is a community-maintained GitHub repository for tracking services enabling subdomain takeovers by not requiring verification of domain ownership. This project aids both bug bounty hunters and bug bounty programme owners in determining whether a particular service is vulnerable to (sub)domain takeovers.

As Michael Skelton put it, the repository has mostly evolved into a discussion board where the issue tickets allow for more open discussion surrounding the nuances of performing (sub)domain takeovers against particular services.

Publications

RFC 9116: A File Format to Aid in Security Vulnerability Disclosure (security.txt)
Edwin Foudil, Yakov Shafranovich
Internet Engineering Task Force (IETF), April 2022

A Guide To Subdomain Takeovers
EdOverflow
HackerOne, August 2018

On escalating your bug bounty findings
Edwin “EdOverflow” Foudil, T.-C. “Filedescriptor” Hong
Paged Out!, August 2019