HomeFix guides → Vulnerability disclosure contact (security.txt)

nis2

How to fix: Vulnerability disclosure contact (security.txt)

NIS2 Art. 21(2)(j) RFC 9116

Why this matters

NIS2 essential and important entities are expected to maintain a coordinated vulnerability disclosure capability. A published security.txt with a working contact is the lowest-effort way to demonstrate that capability.

Background

See security.security_txt above — NIS2 elevates this from 'nice to have' to expected practice for essential and important entities.

References

RFC 9116 · NIS2 Art. 21(2)(j) — vulnerability handling and disclosure

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
See security.security_txt snippet.
apache
Same.
cloudflare
Same.
wordpress
Same.
flask
Same.
express
Same.
rails
Same.

Verify it's working

curl https://your-site/.well-known/security.txt

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →