A security.txt checker for RFC 9116 compliance
A security.txt file is how a website tells security researchers where and how to report a vulnerability. Defined by RFC 9116, it lives at /.well-known/security.txt and is one of the first things a white-hat researcher or bug-bounty hunter looks for. This security txt checker fetches that file, parses it against the specification, and shows you exactly what it contains — so you can confirm your own is valid, or check whether a target you're testing has one.
What the standard actually requires
RFC 9116 makes only two fields mandatory, and we flag those specifically. Contact is required — there must be at least one way to reach the security team. Expires is also required and must be a valid date; crucially, once that date passes, researchers are told to disregard the file entirely. That makes an expired security.txt one of the most common and damaging faults, because the policy silently stops working while still sitting on the server. When you check security txt here, the expiry status is front and centre.
Optional fields, shown honestly
Everything beyond Contact and Expires is optional, and we treat it that way — no red warnings for fields a site simply chose not to include. Encryption points to a PGP key so reports can be sent securely; Acknowledgments credits researchers who've reported issues; Policy links to a full disclosure policy; Canonical declares the file's own authoritative URL; and Preferred-Languages lists the languages your team reads. We report each as present or not set, so you see the real picture without an inflated sense of failure. We note whether the file is PGP-signed, but don't cryptographically verify the signature.
A free vulnerability disclosure policy starting point
If you don't have a security.txt yet, the generator above produces a valid RFC 9116 file from your own details — your contact address and an expiry date, plus any optional fields you want. It's a formatting tool, not a policy consultant: it puts your information into the correct syntax, but you should still write a real disclosure policy and set an expiry you'll remember to renew (many teams set it 6–12 months out and add a calendar reminder). Save the output to /.well-known/security.txt and serve it over HTTPS.