security.txt: A simple standard for publishing security contact details

What is security.txt

security.txt is a simple, machine-readable way for a website to publish how to contact its security team and disclose vulnerabilities. The file lives at /.well-known/security.txt on a site and is intended to help researchers reach the right person quickly.

Why it exists

It standardizes how organizations share vulnerability disclosure contact details, making it easier for researchers to find the right channel without hunting through pages or making multiple inquiries.

How to use security.txt

Where to place the file

Place the file at https://example.com/.well-known/security.txt (or the equivalent on your site). Most browsers and scanners check this well-known location.

What to include (fields)

The file uses a simple key: value format. Common fields:

Contact: mailto:security@example.com
Encryption: https://example.com/pgp-key.txt
Policy: https://example.com/security-policy
Expires: 2026-01-01
Acknowledgments: https://example.com/security-acknowledgments
Preferred-Languages: en

Example

Contact: mailto:security@example.com
Encryption: https://example.com/pgp-key.txt
Policy: https://example.com/security-policy
Expires: 2026-01-01
Acknowledgments: https://example.com/security-acknowledgments
Preferred-Languages: en

Best practices

Keep the Contact field up to date.
Use a stable policy URL that explains how you handle reports.
Include an encryption key or secure channel for sensitive reports.

Privacy and accuracy

Only publish information you’re comfortable sharing publicly. Regularly review the file to avoid stale contacts.

Maintenance

Update the file when contacts or policies change. Automate deployment as part of your site’s configuration.

Limitations and adoption

Not all organizations use security.txt, and researchers may still reach you through other channels. It’s a helpful signal, but not a guarantee of a response time or policy.

Conclusion

security.txt is a lightweight, machine-readable supplement to your security contact process. Used correctly, it speeds up responsible disclosure and helps researchers connect with the right team.

Contact: mailto:security@example.com Encryption: https://example.com/pgp-key.txt Policy: https://example.com/security-policy Expires: 2026-01-01 Acknowledgments: https://example.com/security-acknowledgments Preferred-Languages: en

security.txt: A simple standard for publishing security contact details

What is security.txt

Why it exists

How to use security.txt

Where to place the file

What to include (fields)

Example

Best practices

Privacy and accuracy

Maintenance

Limitations and adoption

Conclusion

Share This Article

Anne Kanana

Comments

Best times to trade forex (and times to avoid)

Booming Businesses: Trends, Sectors, and How to Ride the Wave

Choosing a Metal Fabrication Company: A Practical Guide

How to Make Money on Instagram: A Practical Guide

security.txt: A simple standard for publishing security contact details

What is security.txt

Why it exists

How to use security.txt

Where to place the file

What to include (fields)

Example

Best practices

Privacy and accuracy

Maintenance

Limitations and adoption

Conclusion

Share This Article

Anne Kanana

Comments

Best times to trade forex (and times to avoid)

Booming Businesses: Trends, Sectors, and How to Ride the Wave

Choosing a Metal Fabrication Company: A Practical Guide

How to Make Money on Instagram: A Practical Guide

What to Do After a Vehicle Accident: A Practical Checklist