security.txt present
Why it matters
Without a security.txt file, security researchers who discover a vulnerability in your system have no official channel to report it responsibly — so they either publish publicly or simply move on. NIST 800-53 rev5 SI-5 (Security Alerts, Advisories, and Directives) and IR-6 (Incident Reporting) require systems to have mechanisms for receiving security information; FedRAMP rev5 IR-6 extends this to cloud providers. RFC 9116 formalizes security.txt as the standard machine-readable disclosure policy. Government procurement increasingly requires a published vulnerability disclosure policy as a condition of contract. A missing file does not stop researchers from finding issues — it stops them from telling you.
Severity rationale
Info because an absent security.txt does not directly increase attack surface, but it removes the primary responsible-disclosure channel and signals to evaluators that a vulnerability disclosure policy may be absent entirely.
Remediation
Create public/.well-known/security.txt with at minimum a Contact field and a future Expires date. Generate a signed file using https://securitytxt.org for the canonical format.
# public/.well-known/security.txt
Contact: mailto:security@yourcompany.com
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en
Policy: https://yourcompany.com/security-policy
Acknowledgments: https://yourcompany.com/thanks
Verify it is publicly accessible at https://yourdomain.com/.well-known/security.txt after deployment. In Next.js App Router, the public/ directory serves static files at the root — no additional route configuration is needed. Rotate the Expires date annually and update it before it lapses, as an expired security.txt is treated as absent by automated scanners.
Detection
-
ID:
security-txt -
Severity:
info -
What to look for: Look for
.well-known/security.txtorpublic/.well-known/security.txtfile. Count the number of required fields present: Contact, Expires, Preferred-Languages, and Policy. Quote the actual Contact value found. -
Pass criteria: A
/.well-known/security.txtfile exists with at least 2 required fields: Contact (email or URL) and Expires (valid future date). Additional fields (Preferred-Languages, Policy, Acknowledgments) are recommended. -
Fail criteria: No security.txt found, or security.txt exists but is missing the required Contact field.
-
Skip (N/A) when: Never — security.txt is the standard way to report vulnerabilities.
-
Detail on fail:
"No /.well-known/security.txt file found." -
Remediation: Create security.txt:
# public/.well-known/security.txt Contact: security@company.com Expires: 2025-12-31T23:59:59.000Z Preferred-Languages: en Policy: https://company.com/security-policy Acknowledgments: https://company.com/security-acknowledgments
External references
- nist:rev5 · SI-5 — Security Alerts, Advisories, and Directives
- nist:rev5 · IR-6 — Incident Reporting
- fedramp:rev5 · IR-6 — FedRAMP IR-6 — public vulnerability disclosure channel
Taxons
History
- 2026-04-18·v1.0.0·Initial import from gov-fisma-fedramp·automated