“When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.”
security.txt files have been implemented by Google,
government, and many other organisations. In addition, the
Ministry of Justice, the Cybersecurity
and Infrastructure Security Agency (US), the French
government, the Italian
government, and the Australian
Cyber Security Centre endorse the use of security.txt files.
Create a text file called
security.txt under the
.well-known directory of your project.
You are ready to go! Publish your security.txt file. If you want to give security researchers confidence that your security.txt file is authentic, and not planted by an attacker, consider digitally signing the file with an OpenPGP cleartext signature.
The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.
security.txt is currently an Internet draft that has been submitted for RFC review. This means that security.txt is still in the early stages of development. We welcome contributions from the public: https://github.com/securitytxt/security-txt
For websites, the security.txt file should be placed under the
/.well-known/ path (
/.well-known/security.txt) [RFC8615]. It can also be placed in the root directory (
/security.txt) of a website, especially if the
/.well-known/ directory cannot be used for technical reasons, or simply as a fallback. The file can be placed in both locations of a website at the same time.
The security.txt file should have an Internet Media Type of
text/plain and must be served over HTTPS.
The email value is an optional field. If you are worried about spam, you can set a URI as the value and link to your security policy.