security.txt present at /.well-known/security.txt

RFC 9116 security.txt is the canonical way for an outside security researcher to find a non-public disclosure channel; without it, someone discovering a vulnerability either guesses at an address (security@, abuse@, the WHOIS contact), drops the finding into the public issue tracker, or does not report it at all. Bug bounty triage platforms and automated vulnerability-disclosure crawlers (Shodan, InternetDB, disclose.io indexers) also key off /.well-known/security.txt to route reports. AI coding tools scaffold public/ and robots.txt but rarely the .well-known/ tree; the file is a two-minute addition that materially shortens the path from "researcher finds an issue" to "you hear about it before it's public."

Create public/.well-known/security.txt:

Contact: mailto:security@example.com
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en

Deeper remediation guidance and cross-reference coverage for this check lives in the gdpr-readiness Pro audit — run that after applying this fix for a more exhaustive pass on the same topic.

• ID: project-snapshot.legal.security-txt-present
• Severity: low
• What to look for: Check for public/.well-known/security.txt, static/.well-known/security.txt, or framework-route equivalents. The file should contain at minimum a Contact: line.
• Pass criteria: File exists and contains at least one valid Contact: directive (URL or mailto).
• Fail criteria: File missing, or present but lacks Contact:.
• Skip (N/A) when: Non-web project (CLI / library / mobile-only). Quote project type when skipping.
• Do NOT pass when: File exists but is empty or contains only commented-out lines.
• Report even on pass: "security.txt found at {path}; Contact: {first contact directive}."
• Detail on fail: "No security.txt at public/.well-known/security.txt or any equivalent path".
• Remediation: Create public/.well-known/security.txt:

  Contact: mailto:security@example.com
  Expires: 2027-01-01T00:00:00.000Z
  Preferred-Languages: en