Exposure · Check
security.txt missing — publishing a researcher contact per RFC 9116
A `/.well-known/security.txt` file gives security researchers a standard, well-known place to find your vulnerability disclosure contact — without guessing whether to email security@, abuse@, or the press contact. RFC 9116 defines the format; even a one-line version is significantly better than nothing.
Why it matters
A minimal valid file is just `Contact: mailto:security@yourdomain.com` plus an `Expires:` date one year out. Researchers checked your site for this before sending the email — having it improves the odds you hear about a real bug from a friend instead of from your customers.
Real-world risk
Researchers and customers lack a standard place to report issues; incidents may go unreported or go public without coordination.
Fix steps (in order)
- Publish https://yourdomain/.well-known/security.txt per RFC 9116 with at least one Contact: line.
- Example minimal file: Contact: mailto:security@example.com Preferred-Languages: en
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (security_txt_missing) clears once the externally-observable signal is in place.