nis2
How to fix: Vulnerability disclosure contact (security.txt)
NIS2 Art. 21(2)(j)
RFC 9116
Why this matters
NIS2 essential and important entities are expected to maintain a coordinated vulnerability disclosure capability. A published security.txt with a working contact is the lowest-effort way to demonstrate that capability.
Background
See security.security_txt above — NIS2 elevates this from 'nice to have' to expected practice for essential and important entities.
References
RFC 9116 · NIS2 Art. 21(2)(j) — vulnerability handling and disclosure
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
See security.security_txt snippet.
apache
Same.
cloudflare
Same.
wordpress
Same.
flask
Same.
express
Same.
rails
Same.
Verify it's working
curl https://your-site/.well-known/security.txt
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →