The security.txt file is an essential component of your organization's coordinated vulnerability disclosure (CVD) program. It provides a standardized mechanism for security researchers and the public to easily discover your vulnerability reporting policies and contact information. Under the Cyber Resilience Act (CRA), maintaining clear communication channels for vulnerability reporting is a key compliance requirement.
Our portal automatically generates a compliant security.txt file based on your organizational profile and portal configuration. This file includes your primary security contact email, the URL to your disclosure policy, acknowledgment guidelines, and supported encryption keys (such as PGP). Deploying this file to the .well-known directory of your public-facing web properties ensures that automated scanners and manual researchers can consistently find your reporting instructions.
Keeping your security.txt updated is critical for maintaining an unbroken chain of trust with the security community. The CVD Portal provides active monitoring and alerts if the contact information in your portal diverges from the published file. We recommend automating the deployment of your security.txt as part of your standard CI/CD pipeline to ensure strict adherence to CRA reporting accessibility mandates.