Do you publish a standard contact file telling researchers how to report security issues?
Checks that you publish the small, well-known file describing how to reach you about security vulnerabilities.
What this signal tests
We look for a small plain-text file at /.well-known/security.txt on your site. The file follows a public standard called RFC 9116 and lists a contact address for security reports plus an expiry date so people know the contact information is current. It is a one-time file that takes a few minutes to publish and rarely needs updating.
Why it matters for your visibility in AI
AI agents and trust scorers use security.txt as a fast, machine-readable indicator that you take security seriously. Its presence correlates with mature operational governance, which is exactly the signal automated systems use to decide which sources to weight, cite, and link to. Agent platforms operated by OpenAI, Anthropic, and others are increasingly explicit that domains lacking a verified contact channel will be deprioritised. The practical consequence of a missing security.txt is twofold. First, security researchers who find a problem on your site may give up rather than guess at an email address, which raises the chance an issue is exploited rather than reported. Second, automated trust audits treat the absence as a small but cumulative negative against your domain's reputation.
Pass criteria at a glance
| Criterion | Passes when |
|---|---|
| Reachable + Contact + Expires (future). |
How we test it
We make a normal HTTP GET request to the path /.well-known/security.txt on your site. We confirm the response is reachable, served as plain text, and contains at least a Contact line and an Expires line. We then parse the Expires date to make sure it is in the future, because an expired file is treated the same as a missing one. The whole check is a single fetch.
Show technical detection method
GET /.well-known/security.txt; text/plain; Contact: present; Expires: parses as RFC 3339 in future.
If your site fails: how to fix it
- Decide on a contact address. A dedicated mailbox like security@yourdomain.com is best, but a monitored alias or a form URL also works. The address must be one you actually read.
- Create a plain text file containing at minimum: `Contact: mailto:security@yourdomain.com` on one line and `Expires: 2027-01-01T00:00:00Z` on another. The expiry should be roughly a year out.
- Upload the file to your site so it is reachable at https://yourdomain.com/.well-known/security.txt. If your CMS does not let you write files at that path, configure a redirect or use your hosting platform's static file or rewrite rules.
- Set a calendar reminder to refresh the file every 11 months so the Expires date never lapses. An expired file is treated as no file.
- Optionally, sign the file with OpenPGP and add a Canonical line listing the URL. These are nice-to-have for security-sensitive industries but not required for the signal to pass.
- Re-run the AI Ready Test scan to confirm the file is reachable and parseable.
Quick facts
| Maturity | ESTABLISHED |
|---|---|
| Weight | medium |
| Category | Trust & Provenance |
Primary sources
Related signals
No related signals listed.
Frequently asked questions
Will I need IT help to fix this?
Probably yes, but only for a few minutes. The file is plain text but it must live at a specific URL path your CMS may not expose directly. A developer or hosting admin can usually publish it via a static file route, a rewrite rule, or your platform's file uploader.
Will publishing my email address attract spam?
Yes, somewhat. Use a dedicated alias that forwards to your real inbox, and apply normal spam filtering. Many organisations find the legitimate inbound from researchers and automated scanners is worth the modest spam increase, but a web form URL is an acceptable alternative.
What if I do not have a formal security team?
Most small organisations do not. Use a general contact like ops@ or hello@ that someone actually monitors and triages. The goal is that a reachable human or ticket system sees a security report within a reasonable time, not that you have a dedicated CISO.
How long until the change takes effect?
Immediately. As soon as the file is uploaded to the right path and your server serves it as text, the signal will pass. There is no DNS step and no propagation. Test with a browser or curl before re-running the scan.
Run your own scan
Run a free scan and see how your site grades across all 155 AI-readiness signals.