What is a security.txt file?

security.txt is a plain-text file placed at a well-known URL on your website (/.well-known/security.txt) that tells security researchers how to report vulnerabilities to you. It is standardised by RFC 9116 and typically contains a contact method (email or web form URL), an expiry date, and optionally a link to your security policy or PGP key.

Where should I place my security.txt file?

RFC 9116 specifies that security.txt must be served from /.well-known/security.txt over HTTPS. A legacy location at /security.txt is also acceptable but the /.well-known/ path is canonical. The file must be served with Content-Type: text/plain and must be accessible without authentication.

What fields are required in a security.txt file?

RFC 9116 requires two fields: Contact (a URI for reporting vulnerabilities — an email address or a web form URL) and Expires (an ISO 8601 datetime indicating when the file should be considered stale). Common optional fields include Encryption (link to a PGP public key), Policy (URL to your vulnerability disclosure policy), and Acknowledgments (URL to a page crediting reporters).

Does having a security.txt file affect my WebAudit security score?

WebAudit detects whether your site serves a valid security.txt file and reports it in the HTTP headers section of the scan. While security.txt presence is currently reported as an informational finding rather than a scored item, it is considered a security best practice and is increasingly expected by bug bounty platforms and enterprise procurement checklists.

Minor Disclosure 5 min read

security.txt: The RFC 9116 Standard Explained

Security researchers discover vulnerabilities in websites every day. Without a clear disclosure channel, they may not know who to contact — or give up entirely. A security.txt file is a two-minute setup that gives researchers a verified, machine-readable path to report what they find.

What is security.txt?

security.txt is a proposed standard (RFC 9116, published April 2022) that defines a plain-text file organisations can publish to communicate their security disclosure preferences. It tells security researchers: here's how to contact us, here's our disclosure policy, here's what we'd like you to include in a report.

The concept is modelled on robots.txt — a well-known convention that any tool can discover without needing to know the organisation's structure in advance. Automated vulnerability scanners, bug bounty platforms, and responsible disclosure tools all look for security.txt as the first step when reporting a finding.

Major organisations including Google, GitHub, and the UK NCSC publish security.txt files. Bug bounty programs commonly reference it. Without it, researchers who find something serious in your site often have no idea where to report it.

Where to Place the File

RFC 9116 specifies two canonical locations. Tools check them in this order:

https://yourdomain.com/.well-known/security.txt — the canonical location per RFC 8615 (Well-Known URIs)
https://yourdomain.com/security.txt — a fallback location for compatibility

The .well-known/ location is preferred. Many web servers serve files from this directory automatically, but you may need to configure your server to allow access to this path if you have rules blocking dotfiles.

The file must be served over HTTPS. An HTTP-only security.txt is considered invalid by most tooling.

Required Fields

RFC 9116 defines two required fields. A security.txt without both is technically non-compliant:

Field	Required	Description
`Contact:`	Required	Where to send vulnerability reports. Can be a URL (bug bounty platform, form), an email address (`mailto:`), or a phone number (`tel:`). You can list multiple Contact fields.
`Expires:`	Required	An ISO 8601 datetime after which the file should be considered stale. Prevents outdated contact info being trusted indefinitely. Renew yearly.

Optional Fields

Field	Description
`Encryption:`	A URL pointing to a PGP public key researchers can use to encrypt reports. Useful for sensitive disclosures.
`Acknowledgments:`	A URL to a page where you acknowledge researchers who have reported issues.
`Preferred-Languages:`	A comma-separated list of language codes you prefer to receive reports in.
`Canonical:`	The canonical URL of this security.txt file itself, for verification.
`Policy:`	A URL to your vulnerability disclosure policy (scope, responsible disclosure rules, safe harbour).
`Hiring:`	A URL to security-related job postings.

How Researchers Use security.txt

When a security researcher finds a potential vulnerability on your site, their first step is typically to look for a security.txt file. They check /.well-known/security.txt and /security.txt. If they find a valid file, they know exactly who to contact and in what format.

Without a security.txt, researchers face a time-consuming search for a security contact: hunting for a security@ email address, finding a bug bounty profile, or guessing who to email. Many give up and report elsewhere, report publicly, or simply don't bother at all. A vulnerability that could have been disclosed privately ends up being published or exploited.

Automated tools like vulnerability scanners and OSINT frameworks also check for security.txt to understand a target's disclosure policy before testing. A well-written policy field can communicate your safe harbour position — protecting researchers who act in good faith and encouraging more reports.

Example security.txt File

# Security contact for example.com
Contact: mailto:security@example.com
Contact: https://bugcrowd.com/example
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en, hi
Policy: https://example.com/security-policy
Acknowledgments: https://example.com/security/hall-of-fame
Canonical: https://example.com/.well-known/security.txt

For a domain that doesn't run a bug bounty

Contact: mailto:security@yourdomain.com
Expires: 2027-06-01T00:00:00.000Z
Preferred-Languages: en

PGP Signing (Optional but Recommended)

RFC 9116 allows the security.txt file to be PGP-signed. A signed file lets researchers verify the contact information hasn't been tampered with — important if an attacker compromised your server and changed the contact email to their own address. If you publish a security.txt for a high-value target, consider signing it.

Set a calendar reminder for a month before your Expires: date. Update the date and, if using PGP, re-sign the file. An expired security.txt is better than none, but tools will flag it as stale.

WebAudit's security.txt Tools

WebAudit checks for a valid security.txt at both canonical locations during every scan. It verifies the file is reachable over HTTPS, has a Contact field, and has a non-expired Expires field. For creating and validating your own file, use the WebAudit security.txt validator and generator.

Does your site have a security.txt?

WebAudit checks for security.txt as part of every scan and helps you generate a valid RFC 9116 compliant file.

Check your site's security now →