Implement Security.txt for Vulnerability Disclosure
Ensure a 'security.txt' file is available on each website to aid in reporting vulnerabilities.
Plain language
A 'security.txt' file is like a signpost on your website that tells security researchers where they can report any problems they find. This is important for finding and fixing security issues quickly to prevent hackers from causing harm to your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
A 'security.txt' file is hosted for each of an organisation's internet-facing website domains to assist in the responsible disclosure of vulnerabilities in the organisation's products and services.
Why it matters
If a security.txt file is not hosted on internet-facing domains, researchers may not know how to report issues, delaying fixes and increasing breach risk.
Operational notes
Keep security.txt current (contacts, PGP, policy) on every public domain, and triage/track reports so responses and remediation are timely.
Implementation tips
- The IT team should create a 'security.txt' file for the website. This file should include contact information, like an email address, where security researchers can report vulnerabilites they find.
- Website administrators should ensure the 'security.txt' file is placed in the well-known location on the website, typically under the '.well-known' directory, so that it is easy to find.
- The security team should regularly review and update the 'security.txt' file. Make sure the contact information is current and add any additional details, such as social media contacts or a link to a vulnerability disclosure policy.
- Management should communicate the existence of the 'security.txt' file to all relevant staff. Ensure everyone knows how to handle incoming vulnerability reports, including who should be notified and what steps to take next.
- The IT team and management should monitor for any reports received through the 'security.txt' file regularly. Set up processes to prioritise and quickly address any reported vulnerabilities to prevent potential issues.
Audit / evidence tips
-
Askthe location of the 'security.txt' file: Request the exact URL where the file is hosted on the website
Goodit is accessible and contains valid contact information for reporting
-
Askconfirmation of the contact details: Request to see the contact details listed in the 'security.txt'
Goodclear instructions on how researchers can report issues
-
Askthe update schedule: Request the schedule or policy for reviewing the 'security.txt' file
Gooddocumented evidence that shows regular updates, such as a log or change history
-
Askevidence of staff communications: Request emails or meeting notes where the 'security.txt' file and procedures were discussed with staff
Goodevidence that staff understand the process and their role
-
Askreceived vulnerability reports: Check how reports have been documented and handled
Goodefficient handling of reports with follow-ups and issue resolution recorded
Cross-framework mappings
How ISM-1717 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.8 | Annex A 8.8 requires organisations to obtain information about technical vulnerabilities and take measures to reduce exposure | |
| handshake Supports (1) expand_less | ||
| Annex A 5.24 | ISM-1717 requires an organisation to publish a `security.txt` file on each internet-facing website domain to facilitate responsible vulne... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.