adds test for security.txt

October 11, 2022
A new security.txt test component has been added to the website test in collaboration with the Digital Trust Center (DTC). security.txt is a standardised text file containing contact information that you place on your web server. Security researchers can use this information to contact the right department or person within your organization directly about vulnerabilities they have found in your website or IT systems. This can speed up the resolution of the vulnerabilities found, giving malicious parties less opportunity to exploit them. In short: test your own domain and publish a security.txt file!

What is your contact point for security vulnerabilities?

At any time, security researchers (also known as benevolent or ethical hackers) may find digital vulnerabilities in your website or IT systems. Of course, you want to be informed as fast as possible when such a discovery is made, so you can respond quickly and fix the leak. Unfortunately, it is often unclear where a security researcher can report a found vulnerability. This means valuable time may be lost in finding and reaching the right department or person within an organisation. The well-intentioned message may not even reach anyone at all.

Faster warnings with security.txt

Since malicious parties can also detect these vulnerabilities, no avoidable time should be lost in alerting affected organisations. The Digital Trust Center (DTC) regularly experiences that this speed is important when alerting Dutch companies. security.txt can help. By making contact information available through security.txt as an organisation, security researchers can immediately alert the right person or department. The DTC therefore recommends that every company publishes a security.txt file and keeps it up to date. test on security.txt

The new test for security.txt in is intended as a tool for companies and other organisations. The test checks whether the security.txt file is present on the domain name and whether the information included has the correct format.

Gerben Klein Baltink, chair Internet Standards Platform:

"Together with the DTC, we worked to ensure that now also tests for security.txt. By simply adding this standardised format to your web domain, it has become easier for "helping hackers" to find the right contacts if they find a vulnerability with you. I therefore warmly encourage organisations to publish a security.txt file and check via whether this has been done correctly. This is how we keep the Internet open, free and secure together!"

For now, the security.txt standard within has the recommended status. The results of the security.txt test do not yet weigh into the overall test result score. Later this year, the security.txt test will also be added to's API and dashboard. The Netherlands Standardisation Forum is currently reviewing whether the security.txt standard is suitable to become mandatory for the government via inclusion on the 'comply or explain' list.

Want to know more?

Does your company or organisation already have a security.txt file? Enter your website URL at and you'll know within seconds. Wondering how to easily create your own security.txt file? Then read more about security.txt on the DTC website (in Dutch).


The test tool is an initiative of the Dutch Internet Standards Platform which is a collaboration of partners from the Internet community and the Dutch government. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. The software code of is available under an open source license.

Release notes 1.6.0

Upgrading to 1.6 from 1.5.x

See the change overview for the steps to upgrade if you have your own deployment of the codebase.