Why Every Website Needs a security.txt File

security.txt (RFC 9116) is a proposed standard that helps security researchers know who to contact when they discover vulnerabilities on your website.

What Is security.txt?

It is a simple text file placed at `/.well-known/security.txt` that contains your security contact information: - **Contact**: Email or URL for vulnerability reports - **Expires**: When the information should be considered stale - **Encryption**: PGP/GPG key for encrypted communication - **Policy**: Link to your vulnerability disclosure policy - **Acknowledgments**: Link to your security hall of fame

Why You Need It

Without security.txt, researchers who find vulnerabilities on your site may: - Give up and not report the issue - Disclose the vulnerability publicly - Report it through inappropriate channels

A security.txt file shows you take security seriously and welcome responsible disclosure.