If you run a website, itβs important to give security researchers a clear and consistent way to contact you about vulnerabilities. Thatβs where security.txt comes in β a standardized file for disclosing your security contact information.
Similar to robots.txt, the security.txt file is a plain text file placed at /.well-known/security.txt. It tells researchers how to report security issues and can include contact info, encryption keys, policy URLs, and more.
This standard is defined in RFC 9116.
Howto
Here's how you can add such a file:
-
Create the file at
.well-known/security.txtin your web root. You can use this tool to create it.Contact: mailto:me@example.com Expires: 2025-08-14T00:00:00.509254Z Preferred-Languages: en,nl -
Serve it over HTTPS. The file must be accessible at:
https://example.com/.well-known/security.txt -
Set proper headers. Ensure it returns a
200 OKstatus with atext/plaincontent type.
Best Practices
- Use a dedicated, monitored security email address.
- Provide a PGP key if you expect encrypted reports.
- Keep the file up to date and version-controlled.
- Avoid including too much personal info β just whatβs needed to report an issue.
Why It Matters
A security.txt file helps you:
- Show that you take security seriously.
- Reduce the risk of public disclosure by giving researchers a responsible path.
- Comply with modern security practices and industry standards.
Resources
If this post was enjoyable or useful for you, please share it! If you have comments, questions, or feedback, you can email my personal email. To get new posts, subscribe use the RSS feed.