Security.txt – What? Why? How?

What is Security.txt?

security.txt it a standardized text file that helps organizations define their preferred process for security researchers to disclose security vulnerabilities securely.

You may use the generator on securitytxt.org to generate your own security.txt.

Why is it Important?

When independent security researchers discover security risks in web services, they often lack proper channels for disclosure. Consequently, security issues may remain unreported, posing a continued risk.

How to Implement in .NET?

The file should be accessible on the relative URL  /.well-known/security.txt and you might add it to a .NET 8 project like this.

A file named security.txt added to a .NET project

You might find that the file is not included in deploy from Azure DevOps, because the folder starts with a dot (.), indicating that it's hidden.

One possible solution is to manually include the file, in the project file, like this.

    <Content Include="wwwroot\.well-known\security.txt" />

security.txt is now required for government websites in the Netherlands, and this requirement might spread to other countries too.


That's all!