security.txt template (RFC 9116)

Copy-paste security.txt for your domain. Enables responsible disclosure, satisfies RFC 9116 compliance, gets indexed by vulnerability researchers.

How to use

Host at /.well-known/security.txt on every production domain.

Template (txt)

copy-paste, replace {{PLACEHOLDERS}}

Contact: mailto:security@yourdomain.com
Expires: 2027-12-31T00:00:00.000Z
Canonical: https://yourdomain.com/.well-known/security.txt
Policy: https://yourdomain.com/security/disclosure
Acknowledgments: https://yourdomain.com/security/hall-of-fame
Preferred-Languages: en
# Optional: uncomment and add your PGP fingerprint
# Encryption: https://yourdomain.com/.well-known/pgp-key.asc