baknu
commented
1 year ago security.txt has been included in the 'comply or explain' list since last week: https://forumstandaardisatie.nl/nieuws/securitytxt-mandatory-dutch-government This seems an argument to weigh the security.txt subtest result into the test score.
Formally the inclusion means that govs that are investing EUR >50k in a website/webservice should choose to apply the security.txt standard. Deviation is allowed only if there is a reason of exceptional weight and must be justified in annual report. It is not a usage mandate yet. Such a mandate is in place for the other standads that do weigh into the score (like IPv6, DNSSEC, DMARC+DKIM+SPF, DANE+STARTTLS, HTTPS+HSTS). (A usage mandate would be a so-called "streefbeeldafspraak" with an implementation deadline or even further a "wettelijke verplichting").
In our decision we also have to take into account how many websites (for example in our HoF) currently support security.txt, Furthermore, we should announce the score weighing at least 6 months in advance (like we have done with other standards as well).
Last: the RPKI (for which a "streefbeeldafspraak' is in place) is the first candidate to be added to tests with scoring impact (#745). It does not seem a good idea to have too many score changes in a short time period.
Currently, as stated in the test explantion, the requirement level of the security.txt subtest is 'Recommended'. Therfore the results do not weigh into the score. Only STATUS_FAIL leads to point reduction, and we do not use this status yet for the security.txt subtest.
So currently we translate sectxt messsages as follows:
If we want to weigh the security.txt subtest into the score (this has not been decided yet!), the translation could become as follows.
If we do this, we should also decide on the score impact. Note that currently none of the subtests in the test category "Security options" weigh into the score.
For some background on test results and score see: https://en.internet.nl/faqs/report/