security.txt

The Internet Draft was first submitted by Edwin Foudil in September 2017.^[4] At that time it covered four directives, "Contact", "Encryption", "Disclosure" and "Acknowledgement". Foudil expected to add further directives based on feedback.^[5] In addition, web security expert Scott Helme said he had seen positive feedback from the security community while use among the top 1 million websites was "as low as expected right now".^[4]

In 2019, the Cybersecurity and Infrastructure Security Agency (CISA) published a draft binding operational directive that requires all federal agencies to publish a security.txt file within 180 days.^[6][7]

The Internet Engineering Steering Group (IESG) issued a Last Call for security.txt in December 2019 which ended on January 6, 2020.^[8]

A study in 2021 found that over ten percent of top-100 websites published a security.txt file, with the percentage of sites publishing the file decreasing as more websites were considered.^[9] The study also noted a number of discrepancies between the standard and the content of the file.

In April 2022 the security.txt file has been accepted by Internet Engineering Task Force (IETF) as RFC 9116.^[1]

security.txt files can be served under the /.well-known/ directory (i.e. /.well-known/security.txt) or the top-level directory (i.e. /security.txt) of a website. The file must be served over HTTPS and in plaintext format.^[10]

• ads.txt
• humans.txt
• robots.txt

• Official website
• Example of a security.txt file