What is this?
The security.txt file is a small text file (RFC 9116) at the hidden path /.well-known/security.txt of your site. It tells security researchers at a glance
where to report vulnerabilities (email, PGP key, web form) - and in which languages, with what
response time, under which disclosure policy.
Without security.txt, reports either pile up in a generic mailbox (where they
stagnate) or never arrive (because the finder cannot locate an address and gives up). With security.txt, you get structured, well-intentioned reports.
When do I need it?
Useful today as soon as you run a web app, a login page, an API endpoint, or any online service - anything where misuse can leak data or cause harm.
Mandatory from September 2026 for manufacturers of digital products with EU
market access. The EU Cyber Resilience Act (CRA) requires a published, coordinated
disclosure channel - security.txt is the simplest way to satisfy that.