security.txt builder

A signed contract with the security research community. Host the result at /.well-known/security.txt.

Inputs

Contact: lines (mailto:, https://, or tel:) — one per line

Expires (days from now)

→ 2027-06-01T03:57:30.372Z

Preferred-Languages (BCP-47, comma or space separated)

Canonical URLs (one per line) — usually https://yourdomain/.well-known/security.txt

Encryption: PGP key URLs (one per line)

Policy URL

Acknowledgments URL

Hiring URL

/.well-known/security.txt

Valid

Contact: mailto:security@example.com
Expires: 2027-06-01T03:57:30.372Z
Preferred-Languages: en

Save as security.txt (no extension change) and serve at https://yourdomain/.well-known/security.txt withContent-Type: text/plain; charset=utf-8.

Why ship a security.txt? Without it, a researcher who finds a bug has to guess your disclosure channel. Half the time they give up and the bug gets sold to someone less friendly. Pair with a vulnerability-disclosure policy (VDP) and you'll catch issues months earlier.