Build a RFC 9116 security.txt file for /.well-known/security.txt. Tells security researchers how to report vulnerabilities.
Sign with PGP for production: gpg --clearsign security.txt
# RFC 9116 security.txt
# Serve at: /.well-known/security.txt
# Mirror at: /security.txt
Contact: mailto:security@example.com
Expires: 2027-05-27T20:29:29.367Z
Encryption: https://example.com/pgp-key.txt
Acknowledgments: https://example.com/hall-of-fame
Preferred-Languages: en
Canonical: https://example.com/.well-known/security.txt
Policy: https://example.com/security-policy