Security.txt Checker

security.txt is a text file placed at /.well-known/security.txt on a website that tells security researchers how to responsibly disclose vulnerabilities. Standardized in RFC 9116, it provides contact information, disclosure policy, encryption keys, and an expiry date. Without it, researchers may not know how to reach your security team, potentially leaving vulnerabilities unreported or publicly disclosed.

RFC 9116 requires two fields: (1) Contact: at least one contact method (mailto:, https://, or tel: URI), and (2) Expires: an ISO 8601 date/time when this file should be considered stale. All other fields are optional but strongly recommended: Encryption (PGP key URL), Policy (disclosure policy URL), Canonical (the canonical URL of this file), Preferred-Languages, Acknowledgments, Hiring, and CSAF.

The preferred location per RFC 9116 is /.well-known/security.txt (e.g., https://example.com/.well-known/security.txt). The legacy location /security.txt is also supported for backwards compatibility. The file must be served over HTTPS. If both locations exist, /.well-known/security.txt takes precedence.

RFC 9116 recommends setting the Expires field to no more than one year in the future. A shorter validity (e.g., 90-180 days) forces regular review and ensures contact information stays current. Expired security.txt files are treated as if no file exists, so set up reminders to renew. Many teams set it to exactly one year and renew annually.

PGP signing is optional but recommended for high-security environments. A signed security.txt lets researchers verify the file has not been tampered with — an attacker who compromises your web server could otherwise replace your security.txt with a different contact address. Sign with your security team's PGP key and link to the public key using the Encryption field.