Why security.txt Matters
When a security researcher discovers a vulnerability in your web application, what do they do? If there's no clear disclosure channel, they may give up, go public immediately, or — in the worst case — sell the information. security.txt solves this by placing a standardized, machine-readable contact file exactly where researchers expect to find it: /.well-known/security.txt.
Defined in RFC 9116, security.txt is a plain text file that communicates how to report security issues, what policies apply, and who is responsible for security at your organization.
The security.txt File Format
The file uses a simple Field: Value format. Here is a complete, well-structured example:
Contact: mailto:security@example.com
Contact: https://example.com/security/report
Expires: 2026-01-01T00:00:00z
Encryption: https://example.com/pgp-key.txt
Acknowledgments: https://example.com/security/hall-of-fame
Policy: https://example.com/security/policy
Preferred-Languages: en
Canonical: https://example.com/.well-known/security.txtField Reference
| Field | Required? | Description |
|---|---|---|
Contact | Yes | Where to send reports. Can be email (mailto:), URL, or phone. Multiple entries allowed. |
Expires | Yes | ISO 8601 datetime after which this file is considered stale. Keeps stale contact info from being used. |
Encryption | Recommended | URL to a PGP public key for encrypted submissions. |
Acknowledgments | Recommended | Link to your security acknowledgments or hall of fame page. |
Policy | Recommended | URL to your full Vulnerability Disclosure Policy (VDP) or bug bounty program rules. |
Preferred-Languages | Optional | Languages the security team can work in. |
Canonical | Optional | The canonical URL of this file, useful if served from multiple locations. |
Hiring | Optional | Link to security-related job postings. |
Step-by-Step Implementation
-
Create the file. Write your security.txt content in plain text, UTF-8 encoded. Start with the required
ContactandExpiresfields. - Set a realistic expiry. RFC 9116 recommends no more than one year in the future. Set a calendar reminder to update it before it expires — an expired security.txt signals an unmaintained program.
-
Sign the file with PGP (strongly recommended). A signed file prevents tampering and assures researchers they're reading authentic contact information. Use a detached signature or inline clearsign format:
This producesgpg --clearsign security.txtsecurity.txt.asc— serve this as your security.txt content. -
Host it at the correct path. The canonical location is
https://yourdomain.com/.well-known/security.txt. The legacy path/security.txtat the root is also checked by some tools, but prefer the well-known path. -
Set the correct Content-Type. Serve the file as
text/plain; charset=utf-8. Some servers may try to serve it asapplication/octet-stream— override this explicitly. -
Create your disclosure policy page. The
Policyfield is only useful if the linked page clearly explains your rules: what's in scope, response time commitments, safe harbor provisions, and reward details if applicable.
Verifying Your Implementation
Several tools can validate your security.txt:
- securitytxt.org: The official project site includes an online validator.
- curl:
curl https://yourdomain.com/.well-known/security.txt— check that it returns the file with a 200 status. - Security scanner integrations: Tools like Mozilla Observatory and various bug bounty platforms check for security.txt as part of their assessments.
Organizational Considerations
Beyond the technical setup, a security.txt is only valuable if the process behind it works:
- Assign a real owner to the contact address — security reports sitting in an unmonitored inbox cause harm.
- Acknowledge receipt within 24–72 hours. Researchers who hear nothing often go public.
- Honor your safe harbor. If you say researchers acting in good faith won't face legal action, mean it.
- Update the file when contact details change, programs launch or end, or scope changes.
A security.txt file is a low-effort, high-signal investment in your security posture. It costs minutes to implement and can prevent vulnerabilities from being exploited or disclosed irresponsibly.