All guides
Info ISO 27001 A.5.5 NIST CSF RS.CO

Publish a security.txt (RFC 9116)

A security.txt file tells researchers how to report a vulnerability to you responsibly.

Why it matters

Without a clear reporting channel, a finder either gives up or discloses publicly. A security.txt is a low-effort signal of maturity that auditors and researchers look for.

How to fix it

Publish a signed text file at /.well-known/security.txt with a contact address and an expiry date.

# /.well-known/security.txt
Contact: mailto:security@example.com
Expires: 2027-01-01T00:00:00Z
Preferred-Languages: en, tr

Is your domain affected?

Prove ownership and run a scan for a graded, verifiable report.

Related guides

Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.