Security.txt Generator
Generate a security.txt file for vulnerability disclosure. Create Contact, Expires, Canonical, Policy, Encryption, Acknowledgments, Preferred-Languages, and Hiring fields.
Website and Contact
Disclosure Details
Options
For web-based services, publish the file at /.well-known/security.txt over HTTPS with text/plain; charset=utf-8.
Output
Generated security.txt content will appear here.
Creating a Security.txt File for Vulnerability Reports
A security.txt file gives security researchers a clear way to report vulnerabilities. Instead of guessing who to contact, they can check a standard location on your website and find your preferred contact, policy, expiry date, and encryption details.
This Security.txt Generator creates a clean file for /.well-known/security.txt with common fields such as Contact, Expires, Canonical, Policy, Encryption, Acknowledgments, Preferred-Languages, and Hiring.
Using the Security.txt Generator
- Enter your domain or website URL.
- Add a security contact email, contact page, or both.
- Choose an expiry date and optional policy, encryption, acknowledgment, and hiring URLs.
- Copy the generated content.
- Publish it at /.well-known/security.txt and keep it updated.
Important Security.txt Fields
- Contact tells researchers where to send reports.
- Expires tells readers when the file should be considered stale.
- Canonical points to the official security.txt URL.
- Policy links to vulnerability disclosure rules and scope.
- Encryption points to a key for encrypted reports.
- Acknowledgments links to a page recognizing valid reports.
Example Security.txt Content
Contact: mailto:security@example.com Expires: 2027-06-01T00:00:00Z Canonical: https://example.com/.well-known/security.txt Policy: https://example.com/security-policy Preferred-Languages: en
Keep Security.txt Practical
A security.txt file is most useful when the contact actually works. Use an email inbox or form that someone checks, and link to a policy that explains what is in scope, what is out of scope, and what researchers should expect after submitting a report.
Review the file before the Expires date so researchers do not rely on stale information.
Frequently Asked Questions
What is security.txt?
It is a standard text file that helps security researchers find the right contact and policy for vulnerability reports.
Where should I publish security.txt?
The standard web location is /.well-known/security.txt on your domain. A top-level /security.txt can redirect there for legacy compatibility.
Is Expires required?
Yes. RFC 9116 requires exactly one Expires field, and the value should be a future RFC3339 date-time.
Should I include a Policy URL?
Yes, if you have one. A policy page helps define scope, expectations, safe testing rules, and reporting process.
Is anything uploaded when I generate the file?
No. The file is generated directly in your browser.
