# Our security address
Contact: [email protected]

# Our PGP key

# Our security policy
Generate security.txt file Learn more
“When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. Security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.”
Read the latest draft ➤


What is the main purpose of security.txt?

The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.

Is security.txt an RFC?

security.txt is currently an Internet draft that has been submitted for RFC review. This means that security.txt is still in the early stages of development. We welcome contributions from the public:

Where should I put the security.txt file?

The security.txt file should be placed under the /.well-known/ path (/.well-known/security.txt) [RFC5785].

Will adding an email address expose me to spam bots?

The email value is an optional field. If you are worried about spam, you can set a URI as the value and link to your security policy.

Generate your security.txt file

Contact: (description)

Encryption: (description)

Acknowledgements: (description)

Policy: (description)

Signature: (description)


The editor would like to acknowledge the help provided during the development of security.txt by the following individuals:

Tom Hudson helped writing the "File Format Description" and wrote several security.txt parsers.

Joel Margolis was a big help when it came to wording the Internet draft appropriately.

Bugcrowd, Casey Ellis, and Chris Raethke for transferring to the security.txt project and for sharing details about previous work that they conducted on a similar project.

Jobert Abma for raising issues and concerns that might arise when using certain directives.

Gerben Janssen van Doorn for reviewing the Internet draft multiple times.

Justin Calmus was always there to answer questions related to writing the Internet draft.

Eduardo Vela and Krzysztof Kotowicz for meeting in person to discuss security.txt in great detail.

Security.txt projects

Identify and Parse Web Security Policies Files in R by boB Rudis.

The official Chrome extension for security.txt by Karel Origin.

A security.txt parser for Go by Tom Hudson.

A security.txt parser for PHP by Tom Hudson.

Golang security.txt parser and cli tool by Adam Shannon.

A PSR-4 security.txt reader and writer for PHP 7+ by Austin Heap.

A configurable security.txt plugin for Laravel 5.5+ by Austin Heap.

A configurable security.txt plugin for WordPress 4.9 by Austin Heap.

An npm package for express applications by Gergely Nemeth.

A Node.js middleware for Express that implements security.txt by Liran Tal.

What can you do to help?

Tweet about security.txt Contribute