Skip to main content

How to Use security.txt to Route Security Reports (and Avoid Executive Escalations)

Gregory Duffie
Updated

When a website does not clearly define how to report security issues, third parties often send messages to whatever contact they can find. That may include executives, general inboxes, or non-technical staff.

A security.txt file solves this by providing a standard, machine-readable way to direct legitimate security reports to the right place.

What Is security.txt?

security.txt is a small text file placed on your website that tells security researchers:

  • who to contact if they find a security issue
  • how to report it
  • what expectations or limitations apply

This helps prevent confusion and keeps technical issues away from non-technical staff.

Why This Matters

Without a security.txt file, you may receive messages like:

  • vague “high severity” vulnerability claims
  • unsolicited “bug bounty” payment requests
  • sales pitches disguised as security reports
  • emails sent directly to executives or owners

Some of these are legitimate. Many are not.

A security.txt file gives you control over how these reports are handled.

Where to Place the File

Publish the file in both locations:

https://www.example.com/.well-known/security.txt
https://www.example.com/security.txt

This ensures compatibility with scanners and researchers.

Recommended security.txt File

Contact: mailto:security@example.com
Expires: 2026-12-31T23:59:59Z
Preferred-Languages: en
Policy: https://www.example.com/security-policy

# Notes:
# - We do not operate a bug bounty program.
# - Do not contact executives or staff directly.
# - Reports requesting payment will be ignored.
# - Only reproducible, technical disclosures will be reviewed.

Replace example.com with your domain and use a monitored email address.

Optional Security Policy Page

We recommend a short page that explains:

  • what qualifies as a valid report
  • what information must be included
  • that you do not offer unsolicited payments
  • that executives should not be contacted directly

This filters out most low-quality or sales-driven messages.

Managed Security Report Handling (Optional Service)

If you prefer not to deal with these messages at all, we can act as your point of contact.

With this service, we will:

  • be listed as the contact in your security.txt file
  • receive and review all incoming security-related emails
  • separate legitimate findings from “beg bounty” or sales messages
  • evaluate technical validity and potential impact
  • advise you on whether action is required
  • provide clear next steps when something is real

This keeps your team focused and prevents unnecessary escalation or panic.

Important: This service does not include penetration testing or ongoing monitoring. It is limited to evaluating inbound reports and advising on next steps.

Benefits of This Approach

  • no more security emails going to executives
  • reduced noise from unsolicited “bug bounty” requests
  • clear, consistent handling of all reports
  • expert evaluation before any action is taken

Simple Deployment Checklist

  • Create the security.txt file
  • Add a contact email (or use our managed service)
  • Set an expiration date
  • Create a short policy page
  • Upload to both required locations
  • Test both URLs
  • Set a yearly reminder to update the file

Need Help?

If you'd like us to implement security.txt across your sites or act as your security contact, please submit a request through our support portal.

Related to

Comments

0 comments

Article is closed for comments.