This repository provides a simple way to get started with implementing a security.txt file for your website or web application.
NOTE: We use the same security.txt
and public_key.asc
for all our websites, you can find these files in the .well-known
directory.
.well-known/security.txt
: A sample security.txt file to help you create your own.Setup.md
: Instructions on how to set up and customize your security.txt file.
The security.txt
file is a standardized text file placed in the .well-known
directory of your website. It serves as a public point of contact for security researchers to report vulnerabilities they find.
Why Use security.txt?
- Transparency: It signals to security researchers that you are open to receiving vulnerability reports.
- Efficient Reporting: It provides a standardized way for researchers to contact you, ensuring reports are received promptly.
- Industry Recognition: It's a recognized best practice, recommended by various security organizations.
Learn More:
- Official Specification: RFC 9116
- SecurityTxt.org: https://securitytxt.org/ (Provides a validator and additional resources)
- Review Setup.md: Refer to the
Setup.md
file for step-by-step instructions on setting up yoursecurity.txt
file. - Customize: Adapt the sample
security.txt
file in this repository to include your organization's specific contact information and policies. - Place in .well-known: Upload your customized
security.txt
file to the.well-known
directory on your web server.