What it is
RFC 9116 defines a plain-text file that tells security researchers how to responsibly disclose vulnerabilities.
Not strictly an agent standard — but agents increasingly perform security-adjacent tasks (dependency scanning, abuse reporting), and having a discoverable contact endpoint is table stakes for a mature site.
Remediation Prompt
I want to improve my site's agent readiness. Please implement the following fix for security.txt (RFC 9116) across our codebase. Instructions: Please fix the security.txt (RFC 9116) issue on my site so it is agent-ready.
How we test it
| Step | Method | URL |
|---|---|---|
| A | GET | /.well-known/security.txt |
| B (legacy) | GET | /security.txt |
Pass Warn Fail Matrix
| Condition | Status | Score |
|---|---|---|
Exists at A, has Contact: and Expires: (unexpired) |
pass | 1.0 |
Exists but Expires: has passed |
warn | 0.5 |
| Only at legacy path B | warn | 0.7 |
| 404 | not_applicable | — |
Remediation Prompt
Please publish /.well-known/security.txt per RFC 9116:
Contact: mailto:[email protected]
Expires: 2027-01-01T00:00:00Z
Preferred-Languages: en
Canonical: https://example.com/.well-known/security.txt
Policy: https://example.com/security-policy
Minimum required fields: Contact and Expires. Rotate Expires at least annually — the file becomes invalid past that date.
Serve with Content-Type: text/plain; charset=utf-8.
Test Fixtures
pass.txtwarn-expired.txtwarn-legacy-path.txtna-404.json