Skip to main content

Security.txt

Name Security.txt
Also Known As SECURITY
Tags
  • Vulnerability
  • Reporting
  • Security
Maintained By Internet Engineering Task Force
Licence Open standard - Internet Engineering Task Force Trust
Status Endorsed

The security.txt data standard was developed to make it easier to publish important information regarding how to report a vulnerability. One of the most important elements of vulnerability disclosure, and a challenge for the finder, is understanding who to contact. Security.txt is an IETF Internet informational specification (RFC 9116) and it describes a text file that webmasters can host in the “/.well-known” directory of the domain root. This file advertises the department’s vulnerability disclosure process so that someone can quickly find all of the information needed to report a vulnerability.

Guidance:

  • A piece of guidance will be published to help people use the security.txt standard. New data standards require guidance in ‘profile’ form to give users information about how it works, and how to find resources about it. A piece of guidance in the form of a basic ‘profile’ to help people use the security/txt standard will be added.