SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
info Intelligence

Security.txt

Security.txt is a proposed standard (RFC 9116) that defines a file at /.well-known/security.txt on your website where security researchers can find contact information for reporting vulnerabilities. Without it, researchers who find issues in your site may have no way to reach you and may disclose publicly instead.

What SecurityStatus Checks

  • Whether a security.txt file exists at /.well-known/security.txt or /security.txt
  • Whether the file contains the required Contact field
  • Whether the file has an Expires field (required by RFC 9116)
  • Whether the file is digitally signed (recommended)

Why This Matters

Responsible security researchers who find vulnerabilities in your site want to report them privately. Without a security.txt, they often give up or go public after failing to find a contact. A security.txt gives you a chance to fix issues before they become public, potentially preventing breaches.

How to Fix It

  1. 1

    Create the security.txt file

    Create a file at your web root: `/.well-known/security.txt`. Minimum content: `Contact: mailto:security@yourdomain.com` and `Expires: 2026-12-31T23:59:59Z`.

  2. 2

    Add all relevant fields

    A complete security.txt includes: Contact (required), Expires (required), Policy (link to your security policy), Acknowledgments (link to your hall of fame), Preferred-Languages, and optionally Encryption (PGP key URL).

  3. 3

    Set up the security contact

    The Contact email should go to someone who can actually respond. Set up a dedicated security@yourdomain.com alias that routes to your security team or a ticketing system.

  4. 4

    Optionally sign the file with PGP

    Sign your security.txt with your organisation's PGP key to prove authenticity. Add the Encryption field pointing to your public key. This is optional but signals higher security maturity.

Frequently Asked Questions

Is security.txt a legal requirement?
No, but it is becoming a de facto standard. Many bug bounty programs and large organisations require it. The UK National Cyber Security Centre recommends it for all organisations.
What should the Contact field contain?
It can be a mailto: link, a URL (to a bug bounty platform like HackerOne), or a phone number. Email is most common. Make sure someone actively monitors it.
Does having security.txt invite more attacks?
No. Attackers do not look for security.txt before attacking — they attack regardless. Security.txt only helps legitimate researchers contact you. It has no effect on attacker behaviour.

Related Guides

info Subdomain Discovery Read Guide critical Google Safe Browsing Read Guide high Dark Web Exposure Read Guide

Check Your Domain Now

Run all 38 security checks including Security.txt and get your domain's security grade in under 2 minutes.

Scan Your Domain Free