While it might be nice to claim authorship of a website you're proud of building, the main impact of adding this would be it'd provide an easy mechanism for bots and attackers to harvest data about the people and tech behind something on the internet. Knowing that "Name: Jimbob Smith" was on the team is incredibly useful to anyone who wants to phish access credentials.
Between the "About Us" / "Team" / ... company website pages and LinkedIn profiles, I'd wager a majority of white-collar employees already have much more than the contents of Humans.txt linking back to details of their employment
Yes but social engineering doesn't really scale, does it? You need to craft each message manually and adapt it to each company. The name search might not be the most complex part
Yes but that's why I say it doesn't scale if you have to go there in person. So having an automated way of getting names is not particularly helpful. The hard and time-consuming part is going there in person or calling the company.
Absolutely. Something that many people may forget or not realize is just how much of the Internet's traffic consists of bots - benevolent, malevolent, or benign. If you've ever made a machine's IP public and logged the IPV4 traffic, it's harrowing and sobering. The results of publicly available information on the Internet is outright terrifying if you are unfortunate enough to register a domain without WHOIS privacy protections through your registrar. The entire IPV4 space is constantly probed by bots and zombies for common vulnerabilities and data mining opportunities, and providing a humans.txt would only be serving any included information to bad agents on a silver platter. robots.txt is already a voluntary "standard", meaning that any agent accessing it must volunteer to respect it - providing more information to automated agents would certainly follow the same unspoken rule.
I think it's noble and fair for the people behind online content to wish to be recognized if they wish, but I would absolutely abstain from putting my name in any document like a humans.txt.
Indeed, we have pages on our site that are north of 95% bot traffic. And they're not junk or honeypot pages. The humans on this page often represent hi value prospects we seek to convert. B2B2C service.
At my company we have a humans.txt that is not hosted in public and we only add first names to a list. So you kinda remember who was involved over the years.
I think that is a nice touch and has no privacy issues.
Yes, the security implications of this information is the first thing that came to my mind while reading the site.
At my current company, we received many phishing attempts trying to impersonate people from IT (including phone calls). LinkedIn, CrunchBase, Glassdoor, and others gives you much more data about a company’s employees. But, ironically, leaving a humans.txt file makes things easier for bots.
