Disclosing Vulnerability Reporting Channels (RFC 9116) | DATATAN.NET
  1. Home
  2. Blogs
  3. DATATAN.NET's blog
  4. Disclosing Vulnerability Reporting Channels (RFC 9116)

Disclosing Vulnerability Reporting Channels (RFC 9116)

Edit Blog entry Disclosing Vulnerability Reporting Channels (RFC 9116)

In today’s digital era, a website is the “front door” of any organization—serving customers, sharing information, and enabling transactions around the clock. At the same time, websites are frequent targets for attackers seeking to exploit vulnerabilities.

That’s why it is critical for organizations to provide clear and secure channels for security researchers or ethical hackers to report vulnerabilities. Doing so not only helps minimize risks but also builds trust with users.

Why should organizations disclose vulnerability reporting channels?

  1. Minimize damage – Direct reporting allows organizations to fix vulnerabilities before they are exploited.
  2. Build trust – Customers gain confidence knowing that security is taken seriously.
  3. Support researchers – Security researchers can safely report issues without fear of being misunderstood or ignored.
  4. Follow international standards – Many institutions recommend using a standardized vulnerability disclosure file, known as security.txt (RFC 9116).

What is security.txt?

security.txt is a plain text file defined in RFC 9116, designed to tell people how to report security issues to your organization.

It is usually published at:

  • `https://example.com/.well-known/security.txt`
  • or as a fallback: `https://example.com/security.txt`

A sample file looks like this:


Contact: mailto:security@example.com
Encryption: https://example.com/pgp-key.txt
Acknowledgments: https://example.com/hall-of-fame
Preferred-Languages: en, th
Canonical: https://example.com/.well-known/security.txt
Expires: 2025-12-31T23:59:00Z

Benefits of using security.txt

  • Researchers know **exactly how and where to report vulnerabilities**
  • Reduces the risk of public disclosure before a fix is available
  • Allows secure communication (e.g., encrypted reports via PGP)
  • Enhances the organization’s image as being proactive about cybersecurity

Best practices for implementation

  1. Designate a dedicated security contact (e.g., security team email).
  2. Create a `security.txt` file following RFC 9116 guidelines.
  3. Publish it under the `.well-known/` directory of your website.
  4. Keep the file up to date—especially the Expires field.
  5. Automate updates (via scripts or CI/CD pipelines) to prevent expiration.

Conclusion

Disclosing vulnerability reporting channels is not just a best practice—it’s a responsibility. By providing a clear and secure way for researchers to reach out, organizations can:

  • Respond faster to threats
  • Reduce risks of exploitation
  • Build stronger trust with users and the security community

Cybersecurity is a shared responsibility, and effective collaboration starts with open communication.

English