Safe Reporting

Security.txt

When a "Good Guy" hacker finds a hole in your security, how do they tell you? security.txt is the standardized "Contact Us" page for security issues.

Check My Security.txt

Verify path and PGP availability

01 The "Bat Signal" for Researchers

Security researchers scan the web daily. If they find a vulnerability in your site, they often struggle to find the right person to contact. Customer support usually ignores them. security.txt solves this by providing a clear, technical contact channel.

02 The "Suggestion Box" Analogy

Imagine your website is a building. You lock the doors, but a window is left open:

The Researcher
A passerby who notices the open window.

The Problem
If they tell the receptionist (Support), the message gets lost.

The Solution
A dedicated "Security Hotline" sign (security.txt) that goes straight to the Security Team.

03 Anatomy of the File

It's a simple text file with specific fields:

Contact

Email or Form

Contact: mailto:[email protected]
Who should receive the report.

Encryption

PGP Key

Encryption: https://example.com/pgp-key.txt
Allows reports to be sent securely.

Policy

Rules

Policy: https://example.com/disclosure
What researchers are allowed (and not allowed) to test.

04 Avoiding "Full Disclosure"

If a researcher can't contact you, they might publish the vulnerability publicly on Twitter to get your attention. This is called "Full Disclosure" and it gives hackers a blueprint to attack you before you can fix it.

Did you know? Having a security.txt file serves as a "Safe Harbor" agreement, promising not to sue researchers if they follow your rules.

05 Deployment in 3 Steps

It takes less than 5 minutes to set up:

1. Create the File

Create a plain text file named security.txt. Add your contact email.

2. Upload to Server

Place it in the /.well-known/ folder of your website. This is the standard location defined by RFC 9116.

3. Validate

Use an automated scanner to ensure it's readable and correctly formatted.

Are you accessible? Check if your site complies with the standard using the scanner on our homepage.

06 Frequently Asked Questions

Is security.txt mandatory?

It is now mandatory for government agencies in the US, UK, and Netherlands. While not law for private companies yet, it is considered a cybersecurity best practice.

Will this expose me to more hackers?

No. Security researchers will find bugs whether you have this file or not. Security.txt just ensures they tell YOU about it instead of selling it on the dark web.

Where should I put the file?

The official standard (RFC 9116) states it must be placed in the `/.well-known/` directory (e.g., `yoursite.com/.well-known/security.txt`).

What is a PGP key?

A PGP key allows researchers to encrypt their email to you. This is crucial because vulnerability reports often contain sensitive details how to hack your site.

Welcome the White Hats

Turn security researchers into your allies.

Verify Security.txt