Imagine a security researcher has found a serious vulnerability on your site. They want to tell you, but the general email on the contact page goes to the marketing department, and the phone number reaches the reception desk. Time passes, the vulnerability remains open, and eventually someone else exploits it. The RFC 9116 standard — the security.txt file — was created specifically to solve this problem. This simple text file clearly tells security researchers where to report vulnerabilities and significantly simplifies the responsible disclosure process.
Where security.txt is located
According to the RFC 9116 standard, the security.txt file must be located in the /.well-known/ directory, so the full URL becomes example.com/.well-known/security.txt. This location was not chosen by accident — the .well-known directory is designated as a special location for various internet standards, hosting services like webfinger, ACME challenge, and openid configuration. Older guidelines also accepted root directory placement, but for new projects only the .well-known version is recommended. The file must be served over HTTPS.
Main fields
The security.txt file contains several fields, the most important of which is Contact, specifying the email or URL where security messages can be sent. The Expires field defines the file's validity period and is mandatory according to RFC 9116. Preferred-Languages tells researchers which languages communication is possible in. The Canonical field indicates the official location of the file, protecting against spoofing attacks. The Acknowledgments field provides a link to a page that credits researchers who have reported vulnerabilities.
Encryption and PGP keys
For reporting confidential vulnerabilities, encrypted communication is critically important. The Encryption field specifies where the security team's PGP key can be found. Using this key, the researcher can encrypt vulnerability details and thus protect the information from outside eyes. PGP key servers or your own website can serve as the key storage location. For highly sensitive systems, this field is practically mandatory, as sending vulnerability details over plain email creates unnecessary risk.
Sayt.uz practice
Sayt.uz introduced the security.txt file in 2024, and it is available at sayt.uz/.well-known/security.txt. The file specifies the contact email security@sayt.uz, a PGP key link, and the ability to communicate in Uzbek, Russian, and English. In 2024, 14 external researchers reported vulnerabilities through this channel, and all reports were acknowledged on average within 8 hours. Hosting plans starting from 95,000 soums include the security.txt template and a guide for creating PGP keys. For corporate clients, special bug bounty platform integration is offered from 1,600,000 soums, automating work with external researchers.