security-builders.fyi

security.txt generator

Give security researchers a clear, standard way to report vulnerabilities. Fill in the RFC 9116 fields, watch the file validate live, and download a /.well-known/security.txt ready to serve.

Required

How to report a vulnerability — a mailto:, https:, or tel: URI, in order of preference.
Stored as an ISO 8601 timestamp. RFC 9116 recommends less than a year out.

Recommended optional

Comma-separated BCP 47 language tags reporters may use.
Link to a public key reporters should use to encrypt their report. Do NOT paste the key itself.
Page that recognizes researchers who have reported vulnerabilities.
Your vulnerability disclosure policy.
The canonical URI(s) where this file lives. Lets consumers verify it wasn’t copied elsewhere.
Link to security-related job openings.
Link to your CSAF provider-metadata.json (machine-readable security advisories).
/.well-known/security.txt
    Where it goes
    
Serve the file at https://yourdomain/.well-known/security.txt over HTTPS
        (a legacy copy at /security.txt is allowed). Keep the Expires
date current.

    
To sign it, clearsign with PGP and serve the signed output:

    gpg --clearsign security.txtsecurity.txt.asc, then add a
Canonical field pointing at the file's URL.

     
     
    About security.txt
     
     RFC 9116
defines a simple text file that tells security researchers how to report issues to your
      organization. It needs just two things to be valid — a way to reach you
      (Contact) and an expiry date (Expires) — but a few more fields
      make life easier for the people doing you a favor.