This repository provides a simple way to get started with implementing a security.txt file for your website or web application.
NOTE: We use the same security.txt and public_key.asc for all our websites, you can find these files in the .well-known directory.
.well-known/security.txt: A sample security.txt file to help you create your own.Setup.md: Instructions on how to set up and customize your security.txt file.
The security.txt file is a standardized text file placed in the .well-known directory of your website. It serves as a public point of contact for security researchers to report vulnerabilities they find.
Why Use security.txt?
- Transparency: It signals to security researchers that you are open to receiving vulnerability reports.
- Efficient Reporting: It provides a standardized way for researchers to contact you, ensuring reports are received promptly.
- Industry Recognition: It's a recognized best practice, recommended by various security organizations.
Learn More:
- Official Specification: RFC 9116
- SecurityTxt.org: https://securitytxt.org/ (Provides a validator and additional resources)
- Review Setup.md: Refer to the
Setup.mdfile for step-by-step instructions on setting up yoursecurity.txtfile. - Customize: Adapt the sample
security.txtfile in this repository to include your organization's specific contact information and policies. - Place in .well-known: Upload your customized
security.txtfile to the.well-knowndirectory on your web server.