Utilumo
LightDarkSystem
Explainer1 min readUpdated June 29, 2026

What is a security.txt file?

Short answer

security.txt is a plain-text file at /.well-known/security.txt that tells security researchers how to report a vulnerability to your site. It is defined by RFC 9116 and centers on a Contact field and an Expires date.

A known place to report problems

When someone finds a security issue on your site, they often cannot tell whom to contact. security.txt solves that by putting a machine- and human-readable contact file at a predictable location, so reports reach the right people instead of going nowhere.

Contact: mailto:security@example.com
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en
A minimal security.txt

Where it goes

The file lives at https://example.com/.well-known/security.txt. A legacy location in the site root is allowed, but the .well-known path is the standard.

Common fields

  • Contact — required; an email, URL, or phone for reports
  • Expires — required; when the file should no longer be trusted
  • Encryption — a key so reporters can send sensitive details
  • Policy — a link to your vulnerability disclosure policy
  • Preferred-Languages — languages your team reads
Try it: security.txt GeneratorGenerate a valid security.txt with the right fields locally.Open tool

References

Questions

Is security.txt required?

No, it is voluntary, but it is widely recognized and makes responsible disclosure much easier. Many organizations and bug-bounty programs expect it.

Why does security.txt need an Expires date?

The Expires field stops researchers from trusting a stale file. RFC 9116 requires it so you keep the contact details current.

Does this send my data anywhere?

No. Utilumo's developer tools parse and transform input inside the browser tab. Nothing is uploaded, stored, or logged.

Keep reading