Skip to main content

security.txt Check.

Security Sensitive File Exposure

security.txt enables responsible disclosure — good practice for vulnerability reports

What does this check test?

The `security.txt` file (defined in RFC 9116) is a standard for websites to communicate their security contact information and vulnerability disclosure policy. Located at `/.well-known/security.txt` (or `/security.txt`), it provides fields for contact email/URL, encryption keys (PGP), acknowledgments page, preferred languages, security policy URL, and an expiry date. This check verifies whether a valid `security.txt` file exists and contains the required fields.

Why does it matter?

Without a `security.txt` file, security researchers who discover vulnerabilities in your application have no clear way to report them responsibly. They may resort to public disclosure, file reports through generic contact forms that get ignored, or simply walk away. A `security.txt` file signals that your organization takes security seriously and provides a direct channel for vulnerability reports. Many bug bounty platforms and security researchers check for this file when deciding whether to engage with a target.

Who is affected?

Every organization with a web presence should have a `security.txt` file. It is especially important for companies that handle sensitive user data, financial transactions, or healthcare information. Organizations participating in bug bounty programs benefit from linking their program in the file. Even small businesses and personal projects benefit from providing a security contact, as it reduces the likelihood that discovered vulnerabilities go unreported.

Where does this apply?

The file should be located at `/.well-known/security.txt` (preferred, per RFC 9116) and optionally at `/security.txt` as a fallback. It must be served over HTTPS. The file should contain at minimum a `Contact` field (email or URL) and an `Expires` field (an ISO 8601 date indicating when the file should be considered stale). Additional recommended fields include `Encryption`, `Acknowledgments`, `Preferred-Languages`, and `Policy`.

How to fix it

Create a `security.txt` file with the required fields:
Contact: mailto:security@example.com
Contact: https://example.com/security/report
Expires: 2027-01-01T00:00:00.000Z
Encryption: https://example.com/.well-known/pgp-key.txt
Acknowledgments: https://example.com/security/hall-of-fame
Preferred-Languages: en
Policy: https://example.com/security/policy
Place it at `/.well-known/security.txt` and ensure it is served with `Content-Type: text/plain`. Use the generator at securitytxt.org to create a properly formatted file. Set a calendar reminder to update the `Expires` date before it lapses. Optionally sign the file with PGP to prove authenticity.

References

AppVet checks security.txt Check automatically

Run a free security scan and get a full report with actionable fixes, including a Fix with AI prompt you can paste into any coding tool.

Run Audit
← All checks