security.txt: The 2-Minute File That Tells AI Agents Your API Is Safe
RFC 9116 defines a simple text file at /.well-known/security.txt that tells anyone — human or machine — how to report security issues with your service. Every Silver and Gold business in our 500-scan dataset has one. Over 95% of businesses below Bronze do not. It takes 2 minutes to create. It adds points to D7 Security, which carries a 0.12 weight — third-highest of the 9 dimensions.
Why AI Agents Care About security.txt
Before an AI agent delegates a task to your API — processing a payment, booking an appointment, submitting an order — it evaluates whether your service is trustworthy. This evaluation happens across multiple signals: HTTPS, OAuth support, structured error responses, status pages. A security.txt file is one of the fastest signals to check and one of the clearest indicators of organizational security maturity.
The logic is straightforward: a business that publishes a vulnerability disclosure process takes security seriously enough to have one. A business without security.txt likely does not have a formal process for handling reported vulnerabilities — which means the API may have unpatched issues that nobody can responsibly report.
In our 500-business scan, 100% of Silver-tier businesses have a security.txt file. Below Bronze, the adoption rate drops to under 5%. This is not a coincidence — the same organizational discipline that produces good APIs also produces security.txt files.
What Goes Inside a security.txt File
RFC 9116 defines six fields. Two are required (Contact, Expires). Four are optional but recommended. The file lives at /.well-known/security.txt and is plain text — no JSON, no YAML, just key-value pairs.
Contact
RequiredHow to report vulnerabilities. Can be an email (mailto:security@example.com), a URL to a reporting form, or a phone number. This is the only required field.
Example: Contact: mailto:security@example.com
Expires
RequiredWhen this security.txt file expires and should no longer be trusted. ISO 8601 format. Prevents stale security contacts from persisting for years. IETF recommends refreshing at least annually.
Example: Expires: 2027-04-15T00:00:00.000Z
Preferred-Languages
OptionalLanguages the security team can communicate in. Helps international agents and researchers route reports to teams that can process them without translation overhead.
Example: Preferred-Languages: en, es
Canonical
OptionalThe canonical URL of this security.txt file. Agents use this to verify they are reading the authentic file and not a cached or modified version from a CDN or proxy.
Example: Canonical: https://example.com/.well-known/security.txt
Policy
OptionalURL to your vulnerability disclosure policy. Tells agents and researchers the rules of engagement: what is in scope, what testing is allowed, safe harbor provisions.
Example: Policy: https://example.com/security/policy
Hiring
OptionalURL to security job openings. Not directly relevant to agent readiness, but signals that the company invests in security talent — another trust indicator for agents evaluating API reliability.
Example: Hiring: https://example.com/careers/security
Copy-Paste Template
Save this as /.well-known/security.txt on your web server. Replace the placeholder values with your actual information. This is a complete, RFC 9116-compliant file.
Important: The Expires field is required by RFC 9116. Set it to one year from today and add a calendar reminder to update it. An expired security.txt is worse than none at all — it signals that you set up security practices once and then abandoned them.
Who Has security.txt (And Who Does Not)
The correlation between security.txt adoption and Agent Readiness Score is striking. Every business in our top 10 has one. Below the Bronze threshold, almost nobody does.
The takeaway is not that security.txt alone causes higher scores. The businesses with security.txt also have OAuth, structured errors, status pages, and good API documentation. But security.txt is the cheapest signal to add. If you have none of the other D7 signals, start here. It takes 2 minutes and demonstrates that you have a security process — even if the rest of your infrastructure is still catching up.
The Three-File Stack for Agent Trust
security.txt is most powerful when combined with two other discovery files that AgentHermes checks. Together, these three files tell AI agents: this business exists, this business is safe, and this business has something useful to offer.
/.well-known/security.txt
D7 Security (0.12)
This business takes security seriously and has a process for handling vulnerabilities.
/llms.txt
D1 Discovery + D9 Agent Experience
This business has a machine-readable summary that AI models can consume directly.
/.well-known/agent-card.json
D1 Discovery + D9 Agent Experience
This business has agent-callable capabilities and publishes them in A2A standard format.
All three files together take under 30 minutes to create and deploy. They touch three different dimensions (D1, D7, D9) with a combined weight of 0.34 — over a third of the total score. For businesses stuck below Bronze, this is the highest ROI afternoon you can spend on agent readiness. Read our 30-signal checklist for the complete list, or start with our D7 Security deep dive for the full picture of what agents evaluate.
Frequently Asked Questions
Does security.txt directly increase my Agent Readiness Score?
Yes. AgentHermes checks for a valid security.txt at /.well-known/security.txt as part of the D7 Security dimension, which carries a 0.12 weight — the third-highest of the 9 dimensions. A valid security.txt with Contact and Expires fields adds points to D7. It is not the largest D7 signal (OAuth and structured 401 responses contribute more), but it is the fastest to implement and signals security maturity.
Do AI agents actually read security.txt?
Not directly in most cases today. But AI agents evaluating whether to trust an API check for security signals as part of their trust assessment. A security.txt file signals that the organization has a vulnerability disclosure process, which correlates with better API security practices overall. Agents using the AgentHermes registry see D7 scores that factor in security.txt, so it indirectly influences agent routing decisions.
What is the difference between security.txt and robots.txt for agents?
robots.txt tells agents what content they can crawl. security.txt tells agents (and humans) how to report security issues with your service. They serve completely different purposes. For agent readiness, robots.txt impacts D1 Discoverability (whether agents can find you), while security.txt impacts D7 Security (whether agents trust you). Both are single files at known paths. Both take minutes to create. Both affect your score.
Is there a generator tool for security.txt?
Yes. securitytxt.org provides an interactive generator that produces a standards-compliant file. You fill in your contact email, policy URL, and preferred languages, and it generates the complete file. Alternatively, AgentHermes auto-generates a security.txt as part of the /connect wizard output — along with agent-card.json and llms.txt.
Check if you have security.txt
Run a free Agent Readiness Scan. We check for security.txt, agent-card.json, llms.txt, and 27 other signals across all 9 dimensions. See your D7 Security score in 60 seconds.