security.txt
security.txt (RFC 9116) provides security researchers with a standardized way to report vulnerabilities in your product. SaaSalyst checks whether your website hosts a /.well-known/security.txt file, detecting whether you have a responsible disclosure channel that enterprise security teams look for.
What SaaSalyst Checks
SaaSalyst makes an HTTP HEAD request to /.well-known/security.txt on your domain. A 200 status code indicates the file exists and the check passes. This follows the IETF RFC 9116 standard for security contact information.
Why This Matters
security.txt enables responsible vulnerability disclosure. When security researchers find a vulnerability in your product, they need to know who to contact and how. Without security.txt, they may disclose publicly instead of responsibly.
Enterprise security teams check for security.txt during vendor assessments. Its presence signals that you have a mature security posture and take vulnerability management seriously.
The file is trivial to create — it's a simple text file with contact information, encryption key, and disclosure policy — but its impact on perceived security maturity is significant.
40%
Higher secret exposure in repos using AI coding assistants
GitGuardian 2025 Report
400+
Exposed secrets found across 5,600 vibe-coded apps
Escape.tech
How to Fix It
- Create a text file at /.well-known/security.txt (or /security.txt) with at minimum a Contact field pointing to your security team.
- Include these recommended fields: Contact (email or URL), Expires (date), Preferred-Languages, and optionally Encryption (PGP key) and Policy (VDP URL).
- Host the file at /.well-known/security.txt per RFC 9116. Some hosting platforms require specific configuration to serve files from this path.
- Consider creating a Vulnerability Disclosure Policy (VDP) page that security.txt can link to.
Frequently Asked Questions
How does SaaSalyst check for security.txt?
SaaSalyst makes an HTTP request to /.well-known/security.txt on your domain. A 200 response means the file exists; otherwise, it's reported as missing.
What should my security.txt contain?
At minimum, a Contact field with your security team's email. SaaSalyst checks for the file's presence; including Expires, Preferred-Languages, and Encryption fields shows mature security practices.
How does security.txt affect my Business Readiness Score?
SaaSalyst rates security.txt as low severity in Security & Infrastructure. While missing it doesn't heavily penalize your score, enterprise security teams specifically look for it during vendor evaluation.
References & Official Sources
Official regulatory and standards sources relevant to the checks SaaSalyst runs on your site.
- OWASP Top 10— OWASP
- Security Headers Reference— Mozilla
- HSTS Preload List— Google
Check Your SaaS Now — Free
SaaSalyst scans your website in 30 seconds and checks for security.txt along with 40+ other business readiness signals.
Scan Your App