← All templates
Free Template

security.txt Template (RFC 9116)

A ready-to-use security.txt file template following RFC 9116. The security.txt standard provides a standardised machine-readable location for vulnerability disclosure contact information, satisfying part of the CRA Article 13 requirement for a publicly accessible single point of contact for security researchers.

ForAny organisation with a web presence that wants to make it easy for security researchers to find their vulnerability disclosure contact - required under CRA Article 13 for EU manufacturers
CRA Articles
Article 13

security.txt File Content

Article 13(1)

Security contact information for [COMPANY NAME]

Following RFC 9116 (https://www.rfc-editor.org/rfc/rfc9116)

Place this file at: https://[YOURDOMAIN.COM]/.well-known/security.txt

Required fields

Contact: mailto:[[email protected]] Expires: [YYYY-MM-DDTHH:MM:SS+00:00]

Recommended fields

Policy: https://[YOURDOMAIN.COM]/security Acknowledgments: https://[YOURDOMAIN.COM]/security/acknowledgments

Optional but useful fields

Preferred-Languages: en, [de/fr/nl - add your supported languages] Canonical: https://[YOURDOMAIN.COM]/.well-known/security.txt

If you support encrypted reports

Encryption: https://[YOURDOMAIN.COM]/security-pgp.txt

If you have a bug bounty programme

Hiring: https://[YOURDOMAIN.COM]/careers/security

Note

Place this file at `/.well-known/security.txt` on your web server. The `Expires` field is required by RFC 9116 - set it to no more than 12 months from today and update it annually. If you do not update it before expiry, researchers and automated tools will treat your security.txt as stale. The `Policy` URL should link to your full CVD policy page.

Where to Place Your security.txt

Article 13(1)

Your security.txt file must be accessible at:

Primary location (required by RFC 9116): https://[YOURDOMAIN.COM]/.well-known/security.txt

Legacy fallback (also supported by many tools): https://[YOURDOMAIN.COM]/security.txt

For multiple domains: Create a security.txt at each domain root, or redirect all to a canonical location using the Canonical field.

Subdomains: You do not need a separate security.txt for each subdomain. Researchers typically check the root domain. However, for major products with separate domains, consider adding security.txt to each.

Verification: After deployment, verify your security.txt at https://securitytxt.org/ or using the command: curl https://[YOURDOMAIN.COM]/.well-known/security.txt

Note

The `.well-known/security.txt` location is the canonical RFC 9116 path. Most vulnerability disclosure tools, scanners, and researcher workflows check this path first. Deploy here first, and optionally redirect from `/security.txt` for backwards compatibility.

Signed security.txt (Recommended)

Article 13(1)

For additional authenticity, sign your security.txt with PGP using your security team's key. A signed file provides assurance that the contact information has not been tampered with.

How to sign:

  1. Create your security.txt content (unsigned version above)
  2. Sign with GPG: gpg --clearsign --armor security.txt
  3. This produces a security.txt.asc file with the signature embedded
  4. Rename to security.txt and deploy

Example signed file structure:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

[YOUR SECURITY.TXT CONTENT HERE]

-----BEGIN PGP SIGNATURE-----
[SIGNATURE BLOCK]
-----END PGP SIGNATURE-----

PGP public key: Make your signing key available at the URL specified in the Encryption field, or at a well-known key server.

Note

Signing your security.txt is not mandatory but is a best practice, particularly for organisations where researchers need confidence they are reaching the legitimate security team and not a spoofed page. It is especially recommended for high-profile targets.

Nginx Configuration

Add to your Nginx server block:

location /.well-known/security.txt { alias /var/www/[YOURDOMAIN]/.well-known/security.txt; default_type text/plain; add_header Content-Type 'text/plain; charset=utf-8'; }

Optional: redirect /security.txt to canonical location

location = /security.txt { return 301 /.well-known/security.txt; }

Note

Serving security.txt with the correct `Content-Type: text/plain` header is important - some tools fail to parse it if served as HTML or with no content type. The `.well-known/` directory should already exist if you use other well-known resources (e.g. ACME challenges).

Apache Configuration

Add to your Apache VirtualHost or .htaccess:

Ensure .well-known directory is accessible

<Directory "/var/www/[YOURDOMAIN]/.well-known"> Options None AllowOverride None Require all granted </Directory>

Serve security.txt with correct content type

<Files "security.txt"> Header set Content-Type "text/plain; charset=utf-8" </Files>

Optional: redirect from legacy path

Redirect 301 /security.txt /.well-known/security.txt

Note

Apache may block `.well-known` directory access depending on your server configuration. Ensure the directory is explicitly allowed. Some shared hosting environments require the `.htaccess` approach rather than VirtualHost configuration.

Annual Maintenance Checklist

Article 13(1)

security.txt requires regular maintenance. Add these tasks to your annual security calendar:

Before Expires date (update annually):

  • [ ] Update the Expires field to a new date 12 months ahead
  • [ ] Verify Contact email address is still monitored
  • [ ] Verify Policy URL resolves to your current CVD policy
  • [ ] Verify Acknowledgments URL is current
  • [ ] Re-sign the file if you use PGP signing
  • [ ] Test the file is accessible at /.well-known/security.txt
  • [ ] Verify with https://securitytxt.org/

When staff change:

  • [ ] Update Contact if the security alias changes
  • [ ] Update Encryption if the PGP signing key changes
  • [ ] Notify researchers who may have the old key cached

When adding new domains:

  • [ ] Deploy security.txt to all new domains within 30 days of launch
Note

An expired security.txt is worse than none - it signals neglect. Add renewal as a calendar event 1 month before the Expires date. Many organisations set Expires to exactly 12 months and renew annually alongside their CVD policy review.

Use this template automatically in CVD Portal

CVD Portal generates your CVD policy, tracks acknowledgments, and creates an audit trail — free for Article 14 compliance.

Set up your free portal

Frequently asked questions

Ready to go beyond the template?
CVD Portal automates acknowledgments, tracks deadlines, and generates CSAF advisories — free.
Set up your free portal

Related templates

Coordinated Vulnerability Disclosure Policy Template
A complete coordinated vulnerability disclosure policy following ISO/IEC 29147 best practice and CRA Article 13. Covers the full disclosure lifecycle: intake, triage, remediation, and coordinated publication.
Basic CVD Policy Template
A straightforward coordinated vulnerability disclosure policy aligned with ISO/IEC 29147. Covers the core commitments expected by security researchers and satisfies CRA Article 13 requirements.
CRA-Compliant CVD Policy Template
A comprehensive CVD policy structured specifically for the EU Cyber Resilience Act. Addresses Articles 13 and 14 obligations including 24-hour early warning, 72-hour full notification, and coordinated disclosure timelines.
Vulnerability Reporting Process Template
An internal-facing vulnerability reporting process that documents how your security team handles incoming reports from intake through resolution. Complements your public CVD policy with operational procedures aligned to CRA Article 13 and 14.