security.txt Generator

Build an RFC 9116 compliant /.well-known/security.txt file to tell security researchers how to report vulnerabilities in your site. Serve it at https://example.com/.well-known/security.txt.

Contact * (one per line — mailto:, https:, or tel:)

Expires * (ISO 8601, < 1 year recommended)

The file is invalid if the expires date is in the past. Default: one year from today.

Encryption (public key URL, one per line)

Acknowledgments (URL of hall-of-fame page) Preferred-Languages (RFC 5646 tags, comma-separated) Canonical (URL where this file lives, one per line)

If present, must be the exact URL where the file is served.

Policy (security policy URL) Hiring (security job postings URL) CSAF (provider-metadata.json URL, one per line)

Wrap in PGP signed-message placeholder

Outputs scaffolding for a cleartext signature you replace with your own.

Output — /.well-known/security.txt

—

Validation

RFC 9116 fields

Field	Required	Description
Contact	Yes	How to report vulnerabilities. Can repeat. Must use `mailto:`, `https:`, or `tel:`.
Expires	Yes	ISO 8601 timestamp after which the file is stale. Should be < 1 year out.
Encryption	No	URL or fingerprint of a public key used to encrypt reports.
Acknowledgments	No	Page crediting finders who reported issues.
Preferred-Languages	No	Comma-separated RFC 5646 language tags the security team speaks.
Canonical	No	URL where this file is served, for anti-tampering.
Policy	No	URL of a security/vulnerability-disclosure policy.
Hiring	No	URL of security-related job postings.
CSAF	No	URL of a CSAF `provider-metadata.json`.

File must be served as text/plain; charset=utf-8 at /.well-known/security.txt over HTTPS. When signing, wrap in an OpenPGP cleartext signature (RFC 4880 §7).