security.txt is an accepted standard for website security information that allows security researchers to report security vulnerabilities easily.[1] The standard prescribes a text file called security.txt in the well-known location, similar in syntax to robots.txt but intended to be machine- and human-readable, for those wishing to contact a website's owner about security issues.
Store the file in the /.well-known directory.
The server must run with https to deliver the file. https://www.example.com/.well-known/security.txt.
Security.txt is a plain text file that you can make your self or use a wizard like securitytxt.org
Copy the text in an txt file and save it.
The encryption key is users pgp key.
The below is the minimum.
# cd # vi security.txt Expires: 2025-09-30T21:59:00.000Z Contact: mailto: webmaster@example.com Encryption: https://www.example.com/.well-known/pgp-key.txt Preferred-Languages: nl, en, de Canonical: https://www.example.com/.well-known/security.txt
First we need a key-pair for signing. If you had already one made you can skip it.
# cd # gpg --full-generate-key
Gpg will ask you to enter a pass-phrase. You can input spaces as well.
We need to generate a lot of random bytes. It is a good idea to perform ..... gpg: key .... marked as ultimately trusted gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/.....rev' public and secret key created and signed. ..... # gpg --list-keys
We can sign security.txt now.
# gpg --clear-sign security.txt
Enter the pass-phrase. It will output security.txt.asc.
# gpg --verify security.txt.asc ..... gpg: WARNING: not a detached signature; file 'security.txt' was NOT verified! cp security.txt.asc /srv/www/vhosts/www.example.com/httpsdocs/.well-known/security.txt
Use the tool on internet.nl (dutch) or internet.nl (english) to check if you have implemented security.txt correctly. If the test is not sufficient, internet.nl will indicate what needs to be improved.
The only thing left is that there is no way to verify the signature of security.txt.