Home / Tools / Create a security.txt file at /.well-known/security.txt
Content & Files · Scan Check Guide

Create a security.txt file at /.well-known/security.txt

15 min Impact: medium Effort: low ✓ Scan-verified — no manual checkbox

A security.txt file (at /.well-known/security.txt) gives security researchers a clear, official way to report a vulnerability they've found — without it, someone who discovers a real problem in your site has no idea who to contact and may post it publicly instead of reporting it responsibly.

security.txt is a standard file that tells security researchers how to responsibly disclose vulnerabilities to you. Without it, researchers may disclose publicly.

How to fix it

  1. 1
    Create the file
    At /.well-known/security.txt, include at minimum a Contact: line with an email or URL for reports.
  2. 2
    Add an expiry date
    Expires: with an ISO date is required by the spec — set it a year out and renew it periodically.
  3. 3
    Optionally add a policy link
    Policy: pointing to a page describing your responsible-disclosure process, if you have one.

Common mistakes

How you'll know it's done

https://yoursite.com/.well-known/security.txt loads and contains a valid Contact and Expires field.

Tools that help

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →