Security
security.txt
A plain-text file at /.well-known/security.txt that tells researchers where to send vulnerability reports. Costs nothing; saves an inbound bug from getting routed to /dev/null.
What it is
RFC 9116 — A File Format to Aid in Security Vulnerability Disclosure. A signed text file at /.well-known/security.txt declaring contact addresses, encryption keys, scope, and disclosure policy for security researchers.
Why it matters
Without a security.txt, a researcher who finds a bug has to guess at info@ or hello@ — and most reports never reach the right team. Five minutes of work captures inbound disclosures that would otherwise become public.
Who it applies to
Every site — research disclosures arrive whether you invited them or not.
How WQI scores it
Web Quality Index considers this standard satisfied when the supporting factor passes.
| # | Factor | Status |
|---|---|---|
| 4 | Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options) | live |
Related standards
- See also
- Security headers
Standards that share factors with this one
Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.
Other references
Examples
Contact: mailto:security@example.com
Contact: https://example.com/security/report
Expires: 2027-01-01T00:00:00.000Z
Encryption: https://example.com/.well-known/pgp-key.asc
Acknowledgments: https://example.com/security/hall-of-fame
Preferred-Languages: en
Canonical: https://example.com/.well-known/security.txt
Policy: https://example.com/security/policyExpires is required by RFC 9116 — keep it within a year and treat renewal as a calendar reminder. Sign the file with PGP for the strictest reading of the spec.
Implementation guidance
- Generic securitytxt.org generator
- Generic disclose.io — disclosure policy templates