← All guides
security.txt: How Researchers Report Vulnerabilities to You
security.txt is a small text file, standardised in RFC 9116, that tells security researchers how to report a vulnerability they find in your site. It is a simple maturity signal that shortens the path to responsible disclosure.
Where it goes
Place the file at /.well-known/security.txt over HTTPS. A legacy /security.txt location is also recognised, but the well-known path is canonical.
What to include
At minimum a Contact: line (an email or reporting URL) and an Expires: date. You can also add Policy:, Encryption: (a PGP key), Acknowledgments:, and Preferred-Languages:.