security.txt is a web security best practice formally standardized by the IETF (Internet Engineering Task Force) in RFC 9116, designed to provide websites with a unified, standard way to publish security contact information. Simply put, it is a text file placed at a fixed path on a website, telling security researchers (white hat hackers): "If you find security vulnerabilities on my website, here is how to contact us, here is our encryption public key, here is our disclosure policy, and we welcome your reports."
Before the security.txt standard existed, website security contact information was haphazard. Some websites had no security contact information at all, some buried it on some obscure page, some only listed an unattended info@ email, and some required painstaking searching on LinkedIn to find the security team. This caused a serious problem: when good-faith security researchers discovered vulnerabilities, they often could not find the correct channel to report them. The result was—many vulnerabilities were silently shelved, left unpatched, until discovered and exploited by malicious hackers. security.txt was born to solve this "last mile" problem.
The concept of security.txt was first proposed by security researchers EdOverflow and Yakov Shafranovich in 2017 and quickly gained widespread industry support. In April 2022, security.txt was formally approved by the IETF as RFC 9116, becoming an internationally recognized web security standard. Today, major technology companies such as Google, GitHub, Meta (Facebook), LinkedIn, and Cloudflare, as well as government agencies including the UK Government, US CISA (Cybersecurity and Infrastructure Security Agency), French Government, Italian Government, Dutch Government, and Australian Cyber Security Centre, have deployed security.txt on their official websites and publicly recommend that other organizations adopt it.
The core design of the security.txt file is very simple—it is a plain text file consisting of lines in the format "field-name: value", similar to HTTP header format. The standard defines two mandatory fields: Contact (security contact information, which can be multiple) and Expires (file expiration time); as well as several optional fields: Encryption (PGP encryption public key URL), Acknowledgments (acknowledgments page URL), Policy (vulnerability disclosure policy URL), Hiring (security jobs URL), Canonical (canonical file URL), Preferred-Languages (supported report languages), and CSAF (Common Security Advisory Framework provider metadata URL). This simple format makes it easy for both humans and machines to parse.
Why is deploying security.txt so important? First, it lowers the barrier to vulnerability reporting. Security researchers do not need to spend significant time finding contact information—they can find the correct reporting channel with one click. Second, it demonstrates an organization's proactive attitude toward security—a website with security.txt is essentially saying "We take security seriously and welcome responsible reports." Third, it reduces the risk of vulnerabilities being publicly disclosed or exploited: with a formal channel, researchers will not choose to publicly disclose vulnerabilities directly on Twitter or GitHub because they cannot reach anyone. Fourth, in many industry regulatory requirements (e.g., finance, healthcare, government), establishing a vulnerability disclosure channel has become a compliance requirement.
There are several key details to note when deploying security.txt. First, the path must be correct: the standard path is /.well-known/security.txt, and you can also place a copy at /security.txt in the root directory as a fallback. The .well-known directory here is a standard "well-known resources" directory defined by RFC 8615, where other standard files such as robots.txt are also placed in related locations. Second, it must be served over HTTPS—plaintext HTTP is considered insecure. Third, Content-Type must be text/plain, not text/html or other types. Fourth, do not perform cross-domain redirects for security.txt—if https://example.com/.well-known/security.txt redirects to https://other-domain.com/security.txt, researchers and automated tools will consider this suspicious. Fifth, remember to set the Expires field and update it regularly; an expired security.txt will be considered to have unreliable information.
The Contact field is the most important field in security.txt and the only truly essential field (Expires is also mandatory but is just a timestamp). Contact supports three URI formats: mailto: for email addresses, https:// for web links (e.g., security report form pages), and tel: for phone numbers. It is strongly recommended to provide at least one mailto email and one https form link—forms prevent bot spam, while email is more convenient for researchers to directly send encrypted reports. Multiple contacts can be listed on multiple lines, for example providing both the security team email, security lead email, and third-party vulnerability platform links simultaneously.
While the Encryption field is optional, it is very important in practice. When security researchers discover a critical vulnerability (such as user data leakage or remote code execution), they absolutely do not want to send vulnerability details in plaintext email—because email passes through multiple servers during transmission, any hop could be eavesdropped on. PGP (Pretty Good Privacy) public key encryption is the industry standard for secure communication. You only need to generate a PGP key pair, place the public key on your website (e.g., at /.well-known/pgp-key.txt), and enter that URL in the Encryption field. Researchers encrypt report content with your public key, and only those holding the corresponding private key can decrypt and read it.
The Policy field links to your Vulnerability Disclosure Policy (VDP) page, which is key to building researcher trust. A good VDP should clearly state: testing scope (which systems are in scope and which are out of scope), permitted testing methods (e.g., SQL injection/XSS testing allowed but DDoS/social engineering/accessing real user data prohibited), committed response times (e.g., "We will acknowledge receipt of reports within 3 business days"), whether bounties are offered, and legal safe harbor commitments (explicitly stating no prosecution of good-faith researchers who follow the rules). There are many VDP templates available internationally for reference, and US CISA also provides an open source VDP template.
Beyond security contact itself, security.txt has several "surprise" fields. The Acknowledgments field builds a Security Hall of Fame—publicly thanking researchers who help you find vulnerabilities, which recognizes their work and also serves as community building. The Hiring field is a very clever design: people who can find vulnerabilities on your website are inherently excellent security talent, and placing a recruitment link in security.txt is the most precise channel for recruiting security talent. Many companies have hired excellent security engineers through security.txt. The Canonical field is a security consideration—preventing attackers from forging your security.txt on other domains.
Regarding the common concern about spam, in practice most organizations that have deployed security.txt report negligible increases in spam. This is because: first, spammers typically do not obtain email addresses by crawling security.txt; second, https:// form links can be used instead of directly placing mailto emails, and adding CAPTCHA to forms can completely block bots; third, dedicated security emails (e.g., security@) usually have strict spam filtering configured. In contrast, the cost of missing critical vulnerability reports due to lack of a security contact channel far outweighs the potential increase in small amounts of spam.
This generator is built in strict compliance with the RFC 9116 standard, and all output formats are normalized: the Contact field automatically recognizes prefixes, the Expires field uses standard ISO 8601 UTC time format, and Preferred-Languages is automatically set based on the language you are using. The generated content can be directly copied and deployed to the /.well-known/security.txt path without any modifications. Additionally, all configuration is done locally in your browser and never sent to any server—your security contact information always remains on your device. Deploying security.txt takes only 5 minutes, but the security communication channel it establishes could help you avoid a serious security incident in the future.