security.txt – Why Every Website Needs One
In 2025, if a security researcher finds a vulnerability on your site and has no clear way to report it responsibly, they’ll probably just walk away — or worse, post it publicly.
security.txt (RFC 9116) fixes that. It’s a tiny file that tells ethical hackers exactly how to disclose bugs to you safely.
Google, GitHub, Facebook, LinkedIn, Microsoft, and now even the U.S. federal government require it. It’s basically the “responsible disclosure hotline” for your domain.
Getting a Security Policy for Your Website
When you publish a security.txt file, you should also provide a Vulnerability Disclosure Policy (VDP).
This policy grants researchers legal safe harbor (we won’t sue you if you follow the rules), clearly defines which assets are in scope for testing, lays out the rules of engagement, sets response timelines, and explains any recognition or rewards.
You don’t have to write it from scratch:
- You can start with the official CISA Vulnerability Disclosure Policy Template (Word doc – government-approved and free).
- Or use the excellent open-source wizard Policymaker by disclose.io – answer a few questions and it instantly generates a complete, ready-to-publish HTML policy.
Having both security.txt + a public policy is the gold standard in 2025 — it turns ethical hackers into allies instead of adversaries.
My Exact security.txt on osbornepro.com
Website location: https://osbornepro.com/.well-known/security.txt
Notice that my security.txt file is also PGP-signed for integrity and authenticity.
The Expires field indicates when my current PGP signing key expires (required when the file is signed).
I provide a dedicated email address in the Contact field, but you can also point to a web contact form if you prefer.
Acknowledgements links to my researcher Hall of Fame — where I publicly credit everyone who has responsibly disclosed valid vulnerabilities.
Policy points to my full security policy page, which outlines the rules for testing and grants explicit legal permission (safe harbor) to researchers who follow it.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Contact: mailto:rosborne@osbornepro.com
Expires: 2035-01-31T10:00:00Z
Encryption: https://downloads.osbornepro.com/publickey.asc
Acknowledgments: https://osbornepro.com/acknowledgements
Canonical: https://osbornepro.com/.well-known/security.txt
Policy: https://osbornepro.com/security-policy
Preferred-Languages: en
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQQHLK7TbXhu5MVkWKOl4wbX2JOtwAUCaRocKAAKCRCl4wbX2JOt
wDq+AP46wJDLwX8O87tNpVJmQeF6tnnw/FqK3fuPBfal2NW84gEA0Nj1lhq2jps1
gh7hOXvtI8v7pP3kxEdb3r5LlbNk+go=
=76TD
-----END PGP SIGNATURE-----Required vs Recommended Fields (RFC 9116)
| Field | Required? | My Recommendation |
|---|---|---|
| Contact | YES (at least one) | mailto + web form |
| Encryption | No, but strongly encouraged | PGP key = gold standard |
| Acknowledgements | No | Hall-of-fame page = huge goodwill |
| Policy | No | Link to your full security policy |
| Hiring | No | Attract talent! |
Generator security.txt
You can generate a security.txt file using any of the tools below. Once generated, you are able to start using the file on your site. Despite being able to use this file as is, it is recommended you take it a step further and sign the file for integrity.
- securitytxt.org – Official wizard
- YesWeHack Generator – Very clean
- Bugcrowd security.txt Builder
- SSL-Tools Generator
Sign security.txt
Signing is done using PGP. For simplicity, I use the same PGP key to sign my security.txt file that I do to sign PGP encrypted emails. This is not required but worth mentioning as a security researcher may assume they can use the key to send you a PGP encrypted email.
- If you already have a PGP key, (to sign emails with for example) you can utilize that key.
- If you do not already have a PGP key you can generate one.
- Once you have the PGP key you wish to use, sign your generated security.txt file and host it on your site.
#### IF YOU NEED TO GENERATE A PGP KEY ####
gpg --expert --full-generate-key
# Export your public key as you will need to host it for download by security researchers
gpg --armor --export security@yourdomain.com > pgp-public.key
#### IF YOU ALREADY HAVE A PGP KEY ####
# Import both keys at once (most private key exports already contain the public key)
gpg --import my-secret-key.asc
# Or if you have the keys separate
gpg --import private.key
gpg --import public.key
# List your keys to get the key ID
gpg --list-secret-keys --keyid-format LONG
# Example output shows: sec rsa4096/A1B2C3D4E5F67890
# Allow the key to be used for signing
gpg --edit-key A1B2C3D4E5F67890
# Inside the gpg prompt the above command opens do:
gpg> trust
# Choose 5 = I trust ultimately
# Then quit
gpg> quit
# You can now sign your security.txt file using your imported key
gpg --local-user A1B2C3D4E5F67890 --armor --clearsign security.txt
# Once signed you can verifiy the file by doing
gpg --verify /path/to/security.txt /path/to/your/pgp-cert.pem
- RFC 9116 says a compliant parser must look here:
http(s)://yourdomain.com/.well-known/security.txt
Bonus: My Acknowledgements / Hall-of-Fame Page
Researchers love recognition and deserve the credit.
If they are job hunting they should be able to point to sites they have benefited with their efforts to show what they are capable of.
I created https://osbornepro.com/acknowledgements based off a simple template:
<h2>Researcher Hall of Fame</h2>
<p>Thank you to the following security researchers who responsibly disclosed vulnerabilities:</p>
<ul>
<li>John Doe – Reflected XSS (Mar 2025)</li>
<li>Jane Smith – Open Redirect (Jan 2025)</li>
</ul>Final Checklist
- security.txt at
/.well-known/security.txt - At least one Contact line
- PGP key strongly recommended
- Acknowledgements page (builds trust)
- Full written security policy (link from security.txt)
Total cost: $0. Takes 5–10 minutes. Massive goodwill from the security community.
CISA recommends that all organizations adopt "security.txt" standards. Do it today — the next bug finder will thank you.
Tags: security.txt, RFC9116, responsible disclosure, bug bounty, vulnerability reporting, ethical hacking, security policy
Published & Updated: November 29, 2025
Author: Robert H. Osborne
