Fix guide · info · missing_security_txt

No /.well-known/security.txt published

What this rule means

Your site has no security.txt file at the canonical location.

Why it matters

security.txt is the standard channel for responsible disclosure. Without it, security researchers who find a bug have no obvious way to contact you privately. They might publish first.

How to fix it

Create /public/.well-known/security.txt:

Contact: mailto:[email protected]
Expires: 2027-12-31T23:59:59Z
Preferred-Languages: en
Canonical: https://yourdomain.com/.well-known/security.txt

Sign it with PGP if you have a key. The securitytxt.org generator is good.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.

Run another inspection