security.txt

# Our security address
Contact: security@example.com

# Our PGP key
Encryption: https://example.com/pgp-key.txt

# Our disclosure policy
Disclosure: Full
Generate security.txt file Learn more
“When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to properly disclose them. As a result, security issues may be left unreported. Security.txt defines a standard to help organizations define the process for security researchers to securely disclose security vulnerabilities.”
Read the Internet draft ➤

What people are saying

FAQ

What is the main purpose of security.txt?

The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.

Where should I put the security.txt file?

The /security.txt file should be located under /.well-known/ (/.well-known/security.txt) [RFC5785].

Is security.txt supposed to replace bug bounty platforms?

No. Security.txt is supposed to accompany them.

Will adding an email address expose me to spam bots?

The email value is an optional field. If you are worried about spam you can set a URI as the value and link to your security policy.

Generate your security.txt file

Contact:

PGP-key:

Acknowledgements:

Disclosure:


Contributors

Tweet about security.txt Contribute