Sign in Subscribe
Security Tips

Security Tip: Publish a security.txt!

[Tip #9] security.txt is a simple way to share your security contacts to make vulnerability reporting easier.

Stephen Rees-Carter

Stephen Rees-Carter

2 min read
Security Tip: Publish a security.txt!

The security.txt file is a standard for defining the security policies of a website. It lives in the /.well-known/ subdirectory and should be a publicly readable text file. The goal of a security.txt file is to make it simple for anyone wishing to report a security concern to get in contact with the right person quickly, without needing to dig through subpages and support docs to find the right email, or having to convince a support rep about an issue and jump through support hoops.

The best place to get started is: https://securitytxt.org/

There you will find a wizard to help you build your own security.txt file. Once you have the file, simply upload it to your site as: /.well-known/security.txt.

For example, this is the security.txt file on my site:
https://stephenreescarter.net/.well-known/security.txt

Contact: mailto:stephen@rees-carter.net
Contact: https://twitter.com/valorin
Expires: 2028-09-14T14:00:00.000Z
Encryption: https://keybase.io/valorin
Encryption: https://stephenreescarter.net/pgp-key.txt
Preferred-Languages: en

And the one on google.com:

Contact: https://g.co/vulnz
Contact: mailto:security@google.com
Encryption: https://services.google.com/corporate/publickey.txt
Acknowledgements: https://bughunters.google.com/
Policy: https://g.co/vrp
Hiring: https://g.co/SecurityPrivacyEngJobs

amazon.com:

Contact: https://hackerone.com/amazonvrp/reports/new
Hiring: https://www.amazon.jobs/en/teams/infosec

# Bug Bounty Policy:
Policy: https://hackerone.com/amazonvrp

# For vulnerabilities related to Amazon Web Services (AWS):
https://aws.amazon.com/security/vulnerability-reporting/

If you want to keep digging into more examples, Scott Helme maintains a list of sites in the Top 1 Million Sites which have a security.txt file: https://crawler.ninja/files/security-txt-sites.txt

Found this security tip helpful? Don't forget to subscribe to receive new Security Tips each week, and upgrade to a premium subscription to receive monthly In Depth articles, or toss a coin in the tip jar.

Reach out if you're looking for a Laravel Security Audit and Penetration Test or a budget-friendly Security Review, and find me on the various socials through Pinkary. Finally, don't forget to check out Practical Laravel Security, my interactive security course.

Read more