Yoryantra
← Back to Tools

Security.txt Generator

Generate a security.txt file for vulnerability disclosure. Create Contact, Expires, Canonical, Policy, Encryption, Acknowledgments, Preferred-Languages, and Hiring fields.

Website and Contact

Disclosure Details

Options

For web-based services, publish the file at /.well-known/security.txt over HTTPS with text/plain; charset=utf-8.

Output

Generated security.txt content will appear here.
Security.txt helps researchers contact you, but it is not a security control by itself. Make sure the contact inbox or form is monitored.

Creating a Security.txt File for Vulnerability Reports

A security.txt file gives security researchers a clear way to report vulnerabilities. Instead of guessing who to contact, they can check a standard location on your website and find your preferred contact, policy, expiry date, and encryption details.

This Security.txt Generator creates a clean file for /.well-known/security.txt with common fields such as Contact, Expires, Canonical, Policy, Encryption, Acknowledgments, Preferred-Languages, and Hiring.

Using the Security.txt Generator

  1. Enter your domain or website URL.
  2. Add a security contact email, contact page, or both.
  3. Choose an expiry date and optional policy, encryption, acknowledgment, and hiring URLs.
  4. Copy the generated content.
  5. Publish it at /.well-known/security.txt and keep it updated.

Important Security.txt Fields

  • Contact tells researchers where to send reports.
  • Expires tells readers when the file should be considered stale.
  • Canonical points to the official security.txt URL.
  • Policy links to vulnerability disclosure rules and scope.
  • Encryption points to a key for encrypted reports.
  • Acknowledgments links to a page recognizing valid reports.

Example Security.txt Content

Contact: mailto:security@example.com
Expires: 2027-06-01T00:00:00Z
Canonical: https://example.com/.well-known/security.txt
Policy: https://example.com/security-policy
Preferred-Languages: en

Keep Security.txt Practical

A security.txt file is most useful when the contact actually works. Use an email inbox or form that someone checks, and link to a policy that explains what is in scope, what is out of scope, and what researchers should expect after submitting a report.

Review the file before the Expires date so researchers do not rely on stale information.

Frequently Asked Questions

What is security.txt?

It is a standard text file that helps security researchers find the right contact and policy for vulnerability reports.

Where should I publish security.txt?

The standard web location is /.well-known/security.txt on your domain. A top-level /security.txt can redirect there for legacy compatibility.

Is Expires required?

Yes. RFC 9116 requires exactly one Expires field, and the value should be a future RFC3339 date-time.

Should I include a Policy URL?

Yes, if you have one. A policy page helps define scope, expectations, safe testing rules, and reporting process.

Is anything uploaded when I generate the file?

No. The file is generated directly in your browser.