A proposed standard which allows websites to define security policies.

Read the latest Internet draft →


β€œWhen security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.”

Step 1

Create a text file called security.txt under the .well-known directory of your project.

Contact: (description)*

Encryption: (description)

Acknowledgements: (description)

Policy: (description)

Signature: (description)

Hiring: (description)

Step 2

You are ready to go! Publish your security.txt file.

Frequently asked questions

What is the main purpose of security.txt?

The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.

Is security.txt an RFC?

security.txt is currently an Internet draft that has been submitted for RFC review. This means that security.txt is still in the early stages of development. We welcome contributions from the public:

Where should I put the security.txt file?

The security.txt file should be placed under the /.well-known/ path (/.well-known/security.txt) [RFC5785].

Will adding an email address expose me to spam bots?

The email value is an optional field. If you are worried about spam, you can set a URI as the value and link to your security policy.

Spread the word

Share on Twitter πŸ“£ πŸŽ‰ ⚑️ πŸ”₯