security.txt & Disclosure Kit Generator
Security & Compliance
Instant

security.txt & Disclosure Kit Generator

Freebugcircuit-securitytxt.zip · 33 KB · v1.0.0

Generate a standards-perfect security.txt, robots.txt, and disclosure policy in one command — free, no dependencies.

security.txt & Disclosure Kit Generator builds the paperwork that lets security researchers report vulnerabilities to you the right way. In one command it produces an [RFC 9116](https://www.rfc-editor.org/rfc/rfc9116)-compliant /.well-known/security.txt, a matching legacy root copy, a sensible robots.txt that keeps your security.txt reachable, and a ready-to-edit Vulnerability Disclosure Policy — complete with scope, safe-harbor language, and response-time commitments.

It is deliberately passive and offline. The tool makes no network connections, runs no scans, and collects no data — it simply writes correctly-formatted text files describing how to reach *your* organization. Every value is validated before anything is written: contacts must be real emails or secure (https:// / mailto: / tel:) URIs, the Expires date must be in the future, and language tags and policy URLs are checked for you. Bad input produces a clear message and a clean exit code instead of a stack trace, so it drops straight into CI or a Makefile.

Distributed by Bug Circuit as a single Python 3.8+ file with zero dependencies — download it and run. Works on Windows, macOS, and Linux, with a clean colorized (TTY-aware) banner, a fully interactive mode for first-timers, and flag-driven, non-interactive operation for automation. Use it only for domains and brands you own or are authorized to represent, and have your legal counsel review the generated policy before publishing.

How to use

  • Install Python 3.8 or newer (standard library only — nothing else to install).
  • Run python3 bugcircuit-securitytxt.py with no arguments to be walked through every field interactively, or pass flags for a one-liner.
  • Provide at least one contact with --contact (email or https URL) and optionally --policy-url, --canonical, --encryption, and --expires.
  • Choose where files land with --out ./public (the directory is created if needed); add --force to overwrite an existing kit.
  • Upload the generated .well-known/security.txt to your web root and serve it over HTTPS, then confirm it at https://your-domain/.well-known/security.txt.
  • Edit VULNERABILITY-DISCLOSURE-POLICY.md to match your real commitments, have legal review it, and set a reminder to refresh the file before its Expires date.

Example commands

python3 bugcircuit-securitytxt.py
python3 bugcircuit-securitytxt.py --contact [email protected] --canonical https://example.com --expires +1y --out ./public
python3 bugcircuit-securitytxt.py -c [email protected] -c https://example.com/report --encryption https://example.com/pgp-key.txt --policy-url https://example.com/security-policy --preferred-languages "en, fr" --out ./site --force
python3 bugcircuit-securitytxt.py -c [email protected] --no-robots --no-vdp --print
python3 bugcircuit-securitytxt.py -c [email protected] --expires 2026-12-31 -o ./out -n -f

Free · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.

Download free

Downloads are free. You’ll sign in to a free store account (any email — takes 10 seconds) so you can re-download any time from your account.

Free & open — runs on your machineRe-download any time Real human support

Something not right with your order? Email [email protected] — the same team that runs our security audits makes it right.