Security.txt checker for public disclosure contacts.
Check whether a public website publishes security.txt and review its contact, policy, encryption, language, and canonical metadata.
About
The security.txt file is a public text file that gives security researchers a clear contact path for responsibly reporting vulnerabilities found on a website or service.
The standard is defined in RFC 9116. It recommends publishing the file at /.well-known/security.txt, with /security.txt also commonly checked for compatibility. This checker only reads public disclosure metadata that a website chooses to publish.
Why it matters
Without a visible disclosure contact, a well-intentioned researcher may struggle to find the right reporting channel. That can delay fixes, route reports to support teams that cannot triage them, or push disclosure into less appropriate channels.
A clear security.txt helps organizations publish a low-friction intake path for security reports, policy expectations, preferred languages, encryption metadata, and canonical references.
How to interpret the response
| Field | What it means | What to watch |
|---|---|---|
| Contact | Where security reports should be sent. | Missing, outdated, or generic contacts that slow response. |
| Policy | Disclosure rules, scope, expectations, or program terms. | No policy link when researchers need reporting boundaries. |
| Encryption | Public key researchers can use for encrypted reports. | No encryption option when reports may include sensitive details. |
| Canonical | Official URL for the authoritative security.txt file. | Mismatch between discovered file and declared canonical file. |
| Preferred-Languages | Languages accepted for incoming reports. | No language hint for international disclosure channels. |
| Missing file | No public disclosure contact file was found. | Researchers may need to guess the right reporting route. |
Use cases
- Verify that a public website exposes a clear vulnerability disclosure contact.
- Review whether a security policy, canonical location, and encryption metadata are present.
- Check public security posture signals during vendor or partner due diligence.
- Keep lightweight evidence of public disclosure metadata through the raw JSON response.