Why Every Website Needs a security.txt File

RFC 9116 introduced security.txt as a standard for vulnerability disclosure. Here is why you need one.

security.txt (RFC 9116) is a proposed standard that helps security researchers know who to contact when they discover vulnerabilities on your website.

What Is security.txt?

It is a simple text file placed at `/.well-known/security.txt` that contains your security contact information: - **Contact**: Email or URL for vulnerability reports - **Expires**: When the information should be considered stale - **Encryption**: PGP/GPG key for encrypted communication - **Policy**: Link to your vulnerability disclosure policy - **Acknowledgments**: Link to your security hall of fame

Why You Need It

Without security.txt, researchers who find vulnerabilities on your site may: - Give up and not report the issue - Disclose the vulnerability publicly - Report it through inappropriate channels

A security.txt file shows you take security seriously and welcome responsible disclosure.

Check Your Website Now

Use our free tools to analyze your website's security posture.

Get Trust Score

security.txt (RFC 9116) is a proposed standard that helps security researchers know who to contact when they discover vulnerabilities on your website.

What Is security.txt?

Why You Need It

Without security.txt, researchers who find vulnerabilities on your site may: - Give up and not report the issue - Disclose the vulnerability publicly - Report it through inappropriate channels

A security.txt file shows you take security seriously and welcome responsible disclosure.