How to Fix Missing security.txt
Use this page when the security.txt Checker shows a missing, stale, or malformed responsible disclosure record.
What This Means
security.txt is operational, not purely technical. The fix is not just to publish a file. The file should point to a real disclosure workflow with current contacts, scope language, and policy URLs that the organization is prepared to honor.
| Field | What to verify | Why it matters |
|---|---|---|
| Contact | A reachable disclosure channel | Researchers need a dependable way to report issues. |
| Expires | Freshness date that is not stale | Old files reduce trust in the policy. |
| Policy fields | Optional but useful supporting URLs | These help communicate maturity and expectations. |
| Location | Published under the standard path | Discoverability matters as much as content. |
Common Causes
Patterns worth checking first
- No owner: The organization never assigned responsibility for disclosure intake.
- Policy drift: A file was published once, then left stale after team or process changes.
- Format issues: The file exists but misses required fields or the standard location.
How To Confirm It Safely
Confirmation steps
- Check whether the file exists at the standard public path.
- Confirm the contact address or URL is actively monitored.
- Review freshness dates and linked policy content.
- Validate formatting before publishing to production.
Fix Workflow
- Define the disclosure owner. Choose the team, inbox, or process that will handle reports before publishing the file.
- Publish a clean baseline. Start with Contact and Expires, then add supporting fields you will maintain.
- Link to the real policy. Make sure the policy and expectations match what your team can actually support.
- Retest the public path. Confirm the file is reachable and formatted correctly on the live site.
Implementation Examples
Minimal security.txt example
Contact: mailto:security@example.com
Expires: 2027-01-01T00:00:00.000Z
Policy: https://example.com/securityRollout Risks
A published file can still hurt trust if the contact path is dead
Researchers notice quickly when the stated workflow is not real.
- Monitor the contact address.
- Keep policy expectations aligned with internal handling.
Optional fields create maintenance debt if no one owns them
Only publish supporting fields you intend to keep current.
- Freshness matters more than length.
- Keep the file simple if the process is still maturing.
Validation Checklist
Post-fix validation
- security.txt is published at the standard public location.
- Required fields are present and current.
- The contact path and linked policy are active and intentional.
- The security.txt Checker confirms a healthy public record.
FAQ
Do I need a bug bounty to publish security.txt?
No. security.txt is about disclosure contact and policy clarity, not only bug bounty programs.
- Start with a working contact path.
- Add more maturity signals over time if they are real.
How often should I update Expires?
Refresh it on a cadence your team can reliably maintain.
- Set a calendar reminder.
- Treat stale dates as a trust issue, not a cosmetic issue.