security.txt Validator
Check if a website has a valid security.txt file for responsible vulnerability disclosure.
Why security.txt Matters
Easy Contact
Security researchers can quickly find how to report vulnerabilities.
Responsible Disclosure
Define your vulnerability disclosure policy clearly.
Industry Standard
RFC 9116 standard adopted by major organizations.
Frequently Asked Questions
What is security.txt?
security.txt is a standard (RFC 9116) that allows websites to define security policies and contact information for security researchers to report vulnerabilities.
Where should security.txt be located?
It should be at /.well-known/security.txt (preferred) or /security.txt in the root of your domain.
What should security.txt contain?
At minimum: a Contact field (email or URL) and an Expires field. Optional fields include Encryption, Acknowledgments, Policy, and Preferred-Languages.
More Free Tools
View all 9 toolsCheck SSL certificate validity and TLS security
Check SPF, DMARC, and MX records
Test password strength (100% client-side)
Check if your email was exposed in breaches
Your privacy matters. We don't store any data you submit. Learn more
Secure Your Entire App
security.txt is one piece of the puzzle. VAS scans your application for real vulnerabilities.
Run Full Security Scan