⚠️ Want me to hack into your app and tell you how I did it, so you can fix it before someone else finds it? Book in a Laravel Security Audit and Penetration Test! 🕵️

The security.txt file is a proposed standard for defining the security policies of a website. It lives in the /.well-known/ subdirectory and should be a publicly readable text file. The goal of a security.txt file is to make it simple for anyone wishing to report a security concern to get in contact with the right person quickly, without needing to dig through subpages and support docs to find the right email, or having to convince a support rep about an issue and jump through support hoops.

The best place to get started is the proposal at: https://securitytxt.org/

There you will find a wizard to help you build your own security.txt file. Once you have the file, simply upload it to your site as: .well-known/security.txt

For example, this is the security.txt file on my site:
https://stephenreescarter.net/.well-known/security.txt

Contact: mailto:stephen@rees-carter.net
Contact: https://twitter.com/valorin
Expires: 2024-09-14T14:00:00.000Z
Encryption: https://keybase.io/valorin
Encryption: https://stephenreescarter.net/pgp-key.txt
Preferred-Languages: en

And the one on google.com:

Contact: https://g.co/vulnz
Contact: mailto:security@google.com
Encryption: https://services.google.com/corporate/publickey.txt
Acknowledgements: https://bughunters.google.com/
Policy: https://g.co/vrp
Hiring: https://g.co/SecurityPrivacyEngJobs

amazon.com:

Contact: https://hackerone.com/amazonvrp/reports/new
Hiring: https://www.amazon.jobs/en/teams/infosec

# Bug Bounty Policy:
Policy: https://hackerone.com/amazonvrp

# For vulnerabilities related to Amazon Web Services (AWS):
https://aws.amazon.com/security/vulnerability-reporting/

If you want to keep digging into more examples, Scott Helme maintains a list of sites in the Top 1 Million Sites which have a security.txt file: https://crawler.ninja/files/security-txt-sites.txt