Without a security.txt file, security researchers who discover a vulnerability in your system have no official channel to report it responsibly — so they either publish publicly or simply move on. NIST 800-53 rev5 SI-5 (Security Alerts, Advisories, and Directives) and IR-6 (Incident Reporting) require systems to have mechanisms for receiving security information; FedRAMP rev5 IR-6 extends this to cloud providers. RFC 9116 formalizes security.txt as the standard machine-readable disclosure policy. Government procurement increasingly requires a published vulnerability disclosure policy as a condition of contract. A missing file does not stop researchers from finding issues — it stops them from telling you.
Info because an absent security.txt does not directly increase attack surface, but it removes the primary responsible-disclosure channel and signals to evaluators that a vulnerability disclosure policy may be absent entirely.
Create public/.well-known/security.txt with at minimum a Contact field and a future Expires date. Generate a signed file using https://securitytxt.org for the canonical format.
# public/.well-known/security.txt
Contact: mailto:security@yourcompany.com
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en
Policy: https://yourcompany.com/security-policy
Acknowledgments: https://yourcompany.com/thanks
Verify it is publicly accessible at https://yourdomain.com/.well-known/security.txt after deployment. In Next.js App Router, the public/ directory serves static files at the root — no additional route configuration is needed. Rotate the Expires date annually and update it before it lapses, as an expired security.txt is treated as absent by automated scanners.
ID: gov-fisma-fedramp.documentation-readiness.security-txt
Severity: info
What to look for: Look for .well-known/security.txt or public/.well-known/security.txt file. Count the number of required fields present: Contact, Expires, Preferred-Languages, and Policy. Quote the actual Contact value found.
Pass criteria: A /.well-known/security.txt file exists with at least 2 required fields: Contact (email or URL) and Expires (valid future date). Additional fields (Preferred-Languages, Policy, Acknowledgments) are recommended.
Fail criteria: No security.txt found, or security.txt exists but is missing the required Contact field.
Skip (N/A) when: Never — security.txt is the standard way to report vulnerabilities.
Detail on fail: "No /.well-known/security.txt file found."
Remediation: Create security.txt:
# public/.well-known/security.txt
Contact: security@company.com
Expires: 2025-12-31T23:59:59.000Z
Preferred-Languages: en
Policy: https://company.com/security-policy
Acknowledgments: https://company.com/security-acknowledgments