security.txt Documentation

What is it

.well-known/security.txt is an IETF standard (RFC 9116) that helps organizations define security policies and provide a way for security researchers to report vulnerabilities. This simple text file acts as a bridge between security researchers and organizations, facilitating responsible vulnerability disclosure.

Why using

• Standardized Communication: Provides a consistent method for security researchers to understand how to report vulnerabilities
• Improved Response Time: Makes it clear whom to contact when security issues are discovered
• Demonstrates Security Commitment: Shows your organization takes security seriously
• Reduces Noise: Helps filter legitimate security reports from other communications

security.txt - distribution

The security.txt file should be placed in the .well-known directory of a website:

https://example.com/.well-known/security.txt

What This Documentation Covers

This documentation will guide you through:

• security.txt Implementation Guidance
• Security Reporting Policy

Getting Started

Browse the sections above to learn how to implement security.txt for your organization. The process is straightforward and can significantly improve your security vulnerability handling process.

Note: As of July 2025, security.txt has been widely adopted by major organizations worldwide and is considered a security best practice.