Where should I put my security.txt file?

The security.txt file should be placed at /.well-known/security.txt on your website. Some sites also place a copy at /security.txt for backwards compatibility.

Is security.txt required?

No, security.txt is not required, but it is highly recommended. Without it, security researchers may not know how to report vulnerabilities, which could lead to public disclosure or missed reports.

security txt generator

security.txt Generator

Create a security.txt file for your website in seconds. This file helps security researchers know how to responsibly report vulnerabilities they find.

Contact Email *

Where researchers should report vulnerabilities

Canonical URL (optional)

The official location of your security.txt file

Contact URL (optional)

Link to your bug bounty program or disclosure form

Security Policy URL (optional)

Link to your security policy or disclosure terms

Expires *

When this file should be considered stale (max 1 year)

Acknowledgments URL (optional)

Page thanking security researchers who helped

Preferred Languages

Comma-separated language codes for reports

Hiring URL (optional)

Link to security job openings at your company

Preview

Expires: 2027-01-27T00:00:00.000Z
Preferred-Languages: en

Contact (email or URL) and Expires date are required

How to deploy

For Vercel deployments:

Create a folder: public/.well-known/
Save the file as: public/.well-known/security.txt
Deploy your changes
Verify at: yoursite.com/.well-known/security.txt

What is security.txt?

security.txt is a proposed standard (RFC 9116) that lets security researchers know how to responsibly disclose vulnerabilities they find on your website. Without it, researchers might post publicly, ignore the issue, or attempt extortion.

Learn more at securitytxt.org