What should I put in my security.txt file?

Short answer

Contact email, disclosure policy URL, preferred encryption key, acknowledgements page, and expiration date. Host at /.well-known/security.txt. Takes 5 minutes; signals to researchers you take vulnerability reports seriously.

security.txt is a standard (RFC 9116) for letting security researchers know how to report vulnerabilities to you.

Minimum useful security.txt:

Contact: mailto:security@yourdomain.com
Expires: 2027-01-01T00:00:00.000Z
Canonical: https://yourdomain.com/.well-known/security.txt
Policy: https://yourdomain.com/security/disclosure
Preferred-Languages: en
Acknowledgments: https://yourdomain.com/security/hall-of-fame

Where to host: /.well-known/security.txt on your primary domain. Redirect /security.txt to there as well for discoverability.

Common mistakes: - Missing the Expires field (required per RFC 9116) - Contact pointing to a blackhole inbox nobody monitors - No Policy URL explaining your response process

If you have a formal disclosure program (even informal one-page), link it. If you pay for reports, say so. If you have a hall-of-fame, link it — it motivates researchers.

Once shipped, monitor security@yourdomain for at least 24 hours after any public disclosure event.

People also ask

What is a bug bounty?
A bug bounty is a public (or private) program where you pay security researchers for reporting vulnerabilities. Typical