How to Create a security.txt File for Your Website

A security.txt file tells security researchers how to report vulnerabilities they find on your website — preventing them from disclosing issues publicly before you've had a chance to fix them. It takes five minutes to set up and earns a bonus point on your domain security score.

What this finding means

security.txt is a proposed internet standard (RFC 9116) that defines a text file at a well-known location on your website. Security researchers check for it when they discover a potential vulnerability on your domain — it tells them who to contact, how to report, and what your disclosure policy is.

Without it, researchers either resort to guessing contact addresses, disclose publicly, or give up entirely.

Why it matters

• Enables responsible disclosure — researchers can notify you privately before going public
• Required for a passing GDPR Article 32 vulnerability disclosure check (under Article 32(1)(d))
• Earns a bonus point on your mydomainrisk.com security score
• Takes less than five minutes to implement

What to put in your security.txt file

Here is a complete template you can customise:

Contact: mailto:security@yourdomain.com
Expires: 2027-04-01T00:00:00.000Z
Encryption: https://yourdomain.com/pgp-key.txt
Acknowledgments: https://yourdomain.com/security/acknowledgments
Preferred-Languages: en
Policy: https://yourdomain.com/security/policy
Scope: https://yourdomain.com

Required fields

• Contact: — where to send vulnerability reports. Can be email (mailto:) or a URL
• Expires: — when this file should be considered stale (ISO 8601 format). Set at least one year ahead

Recommended fields

• Policy: — URL to your full vulnerability disclosure policy
• Preferred-Languages: — languages you can respond in
• Scope: — what's in scope for reports

Minimum viable file (if you want to start simple)

Contact: mailto:security@yourdomain.com
Expires: 2027-04-01T00:00:00.000Z

Where to publish it

The file must be published at:

https://yourdomain.com/.well-known/security.txt

For most web platforms this means creating a security.txt file in a .well-known directory at the root of your website. If your platform doesn't support the .well-known path easily, the file can also be placed at:

https://yourdomain.com/security.txt

Verify it worked

Scan your domain at mydomainrisk.com — the security.txt finding will show as resolved and your score will increase. mydomainrisk.com also checks whether the file includes a Policy: field, which is required for the GDPR Article 32 disclosure policy check.