Qu'est-ce que Générateur & validateur security.txt ?
security.txt is a simple text file published at /.well-known/security.txt that tells security researchers how to contact you about vulnerabilities. It is defined by RFC 9116 and supported by Google, GitHub, and major vulnerability disclosure platforms. The file contains a Contact field (URL or email), an Expires date, and optional fields for Canonical, Encryption, Policy, Acknowledgments, and Hiring.
Réponse rapide
security.txt is a file at /.well-known/security.txt that tells security researchers how to report vulnerabilities to you. At minimum, include a Contact field (URL or email) and an Expires date. Renew the file before it expires to keep your vulnerability disclosure channel active.
Limites
- security.txt is a proposed standard (RFC 9116), not a W3C Recommendation. Some organizations are not yet aware of it, and automated scanner adoption varies by region and industry.
- The file must be served over HTTPS without redirects. Some static hosting platforms (including GitHub Pages) may redirect /.well-known/ paths or serve them with unexpected content types.
- security.txt alone does not create a vulnerability disclosure program or bug bounty. It only tells researchers where to report — you still need an internal process to handle incoming reports.
Comment utiliser cet outil
- In Generate mode: fill in your contact URL or email, set an expiration date, and add any optional fields.
- In Validate mode: paste an existing security.txt file to check it against the RFC 9116 specification.
- Deploy the file to /.well-known/security.txt on your domain and serve it over HTTPS.
A quoi il sert
- Create a vulnerability disclosure contact for an open-source project site.
- Validate an existing security.txt before deploying it to a production domain.
- Ensure the Expires date is not in the past and the Contact field uses a valid URL or email format.