RFC 9116
defines a machine-parsable file format called
security.txt to help organizations describe
their vulnerability disclosure practices.
Locations checked per RFC 9116 Section 3:
/.well-known/security.txt
— the well-known URI (REQUIRED)
/security.txt
— root path (for backward compatibility)
If a security.txt file is present in both
locations, the one in the
/.well-known/ path MUST be used.
Required fields: Contact and
Expires. The file MUST be served over
HTTPS with Content-Type
text/plain.
Enter a domain or URL to check for a security.txt file:
There is also an API that returns the same results in JSON format, its endpoint is: /api/lookup?url=example.com
You can find the OpenAPI specification and Swagger UI at /api-docs/ui/