What is a security.txt file?
Short answer
security.txt is a plain-text file at /.well-known/security.txt that tells security researchers how to report a vulnerability to your site. It is defined by RFC 9116 and centers on a Contact field and an Expires date.
A known place to report problems
When someone finds a security issue on your site, they often cannot tell whom to contact. security.txt solves that by putting a machine- and human-readable contact file at a predictable location, so reports reach the right people instead of going nowhere.
Contact: mailto:security@example.com
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: enWhere it goes
The file lives at https://example.com/.well-known/security.txt. A legacy location in the site root is allowed, but the .well-known path is the standard.
Common fields
Contact— required; an email, URL, or phone for reportsExpires— required; when the file should no longer be trustedEncryption— a key so reporters can send sensitive detailsPolicy— a link to your vulnerability disclosure policyPreferred-Languages— languages your team reads