Info
ISO 27001 A.5.5
NIST CSF RS.CO
Publish a security.txt (RFC 9116)
A security.txt file tells researchers how to report a vulnerability to you responsibly.
Why it matters
Without a clear reporting channel, a finder either gives up or discloses publicly. A security.txt is a low-effort signal of maturity that auditors and researchers look for.
How to fix it
Publish a signed text file at /.well-known/security.txt with a contact address and an expiry date.
# /.well-known/security.txt
Contact: mailto:security@example.com
Expires: 2027-01-01T00:00:00Z
Preferred-Languages: en, tr
Is your domain affected?
Prove ownership and run a scan for a graded, verifiable report.
Related guides
- Set up SPF, DKIM and DMARC to stop email spoofing
- Add the HTTP security headers every site should send
- Fix TLS: valid certificate and modern protocols only
- Remove exposed .git, .env and backup files
Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.