Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions
Login
Nederlands

Domain names

Overviewpage Domain names

Cybersecurity

Overviewpage Cybersecurity

Who we are

Overviewpage About SIDN

What we do

SIDN Labs

Homepage SIDN Labs

News

Domain names

Overviewpage Domain names

Who we are

Overviewpage About SIDN

What we do

SIDN Labs

Homepage SIDN Labs

News

Cybersecurity

Overviewpage Cybersecurity

Vacancies

Loading vacancies
More vacancies

News

Loading news
More news and blogs

News

Loading news
More news and blogs

Security.txt

Security.txt provides a straightforward, secure and structured mechanism for reporting website security issues.

Illustration symbolising the internet standard security.txt

Websites and online services are continually scanned for vulnerabilities. Not only by malicious actors, but also by security investigators, IT professionals and developers. When those benign actors discover issues, they want to be able to report them responsibly. And it’s important to an organisation with a website that any incoming vulnerability report goes straight to the right person or department. By enabling all that, security.txt helps make the internet more secure. We therefore promote its use.

A standard location for vulnerability reporting info

Security.txt is a standardised text file that’s published at the following set location on a website:

/.well-known/security.txt

The file contains information about how to report security issues, e.g. by mailing a particular address, by using a form, or another responsible disclosure mechanism.

Making that information available in a standardised format at a known, standard location means that anyone who discovers a vulnerability doesn’t have to hunt around for general contact or support details. Communication lines stay short, and incoming reports go straight to someone who can take appropriate action.

In the Netherlands, security.txt is now mandatory for government organisations. Since May 2023, the standard has been on the 'use-or-explain' list maintained by the Forum for Standardisation. All government organisations must therefore have valid security.txt files in their publicly accessible systems.

International standard

The security.txt standard was defined by the Internet Engineering Task Force, one of the main developers of internet standards. It’s formally specified in RFC 9116.

More and more organisations are making security.txt part of their security strategies.

As well as being mandatory in the public sector, the standard is gaining popularity with companies that take digital resilience seriously.

As with other modern internet standards, it’s all about clear arrangements, predictability and an internet that’s more secure for everyone.

Get started now

Start using security.txt on your website now, and check that your configuration is right.

Various resources are available to help you with security.txt. They include online validators for checking that your file is correctly formatted and in the right place. And WordPress plug-ins that make it easy to generate and manage security.txt files. For .nl registrars, we provide an e-learning module about security.txt via the SIDN Academy.

Frequently asked questions about security.txt

Basics and background

What exactly is security.txt?

Security.txt is a standardised text file containing information about how to report security issues with a website, which is published at a standard location: /.well-known/security.txt. The standard has been defined by Internet Engineering Task Force as RFC 9116.

Why was security.txt developed?

Before security.txt, a security investigator who discovered a vulnerability on a website had to hunt around to find out how to alert the site’s operator. That often led to issue reporting delays and reports going to the wrong place. With security.txt, there’s a single, clearly signposted route for vulnerability reporting.

Who’s responsible for the security.txt standard?

The standard is managed by the Internet Engineering Task Force (IETF). It’s formally specified in RFC 9116, published via the RFC Editor.

How widely is security.txt now used?

More and more public and private sector organisations are using security.txt. In the Netherlands, the standard has been on the 'use-or-explain' list maintained by the Forum for Standardisation since May 2023. All government organisations must therefore publish valid security.txt files. Up-to-data information about the percentage of .nl domain names with valid securty.txt files is available from stats.sidnlabs.nl.

Technical aspects

Exactly where does security.txt have to go?

Security.txt has to be published at a standard location within the domain: /.well-known/security.txt

What fields are mandatory in security.txt?

Your file must include at least a Contact field and an Expires field. The Contact field tells people how to make a report, e.g. by e-mail at a URL. The Expires field gives the file’s expiry date. Without those fields, your file doesn’t conform to the standard.

What other fields can a security.txt file contain?

Optional fields include Policy, Acknowledgments, Encryption and Hiring. Those are for signposting your responsible disclosure policy, an acknowledgements page and a public key for encrypted communications. For a full list of possible fields, see RFC 9116.

What format does a security.txt file have to be?

Security.txt must be a plain text file in UTF-8. Each line consists of a field name and a value, separated by a colon. The date in the Expires field must be ISO 8601 format, expressed in UTC.

Practical implementation

How do we implement security.txt on an existing website?

Basically, you need to put a text file at a particular location on your web server. Plug-ins are available for many content management systems, including WordPress, which simplify the file generation process. For example, the Registrars' Association has developed a WordPress plug-in.

Does our web server need to be specially configured for security.txt?

In most cases, no. If you’ve got access to the web root or you’re able to create a directory called .well-known, all you have to do is put a text file there. The file must be publicly accessible, and must have the correct content type header.

How do we check that we’ve published our security.txt file correctly?

Use a browser to see whether the file is available at https://example.nl/.well-known/security.txt. You can also use an online validation tool. For example, the URIports security.txt validator lets you check that your file is correctly formatted and in the right place.

Does a security.txt file have an expiry date?

Yes. Without an expiry date, a security.txt file is invalid. The date has to be specified in a field called Expires. It follows that you have to update your security.txt file from time to time. RFC 9116 recommends using a validity period of less than a year. That makes you regularly check the information in your file and make any necessary updates. The use of expiry dates prevents old contact details being left in neglected files.

Responsible disclosure policy and processes

How does security.txt relate to responsible disclosure?

Security.txt provides a technical entry point. Responsible disclosure is a set of arrangements and a process for reporting and dealing with vulnerabilities. In your security.txt file, you can signpost your responsible disclosure policy in the Policy field.

Do we need internal processes for handling security.txt reports?

Yes. Publishing a security.txt file is useful only if incoming vulnerability reports are actually dealt with. That might mean having a special mailbox for reports, defining who is responsible for what and keeping records, for example.

What response times are normal with security.txt?

The standard doesn’t say how quickly you should respond to incoming reports. In practice, it’s normal to confirm receipt within a few days and to liaise with the report’s sender about publishing details of the detected vulnerability. The NCSC provides relevant guidelines for coordinated vulnerability disclosure.

How should sensitive security.txt reports be handled?

Make sure that reports are treated as confidential and accessible only to suitably authorised personnel. Consider enabling encrypted communication by including an Encryption field in your security.txt file, giving a PGP key, for example.

Benefits en limitations

What’s the practical value of security.txt?

Security.txt reduces the risk of vulnerability reports going to the wrong place or getting neglected. As a result, vulnerabilities are more likely to be addressed sooner and reputation damage mitigated. Implementing security.txt also shows that you’re open to responsible disclosure.

Does security.txt help to ensure that vulnerabilities are resolved quickly?

Yes, indirectly. Security.txt streamlines the first step: getting information to the right person. How quickly an issue is resolved after that depends on your internal processes and capacity.

What doesn’t security.txt do?

The system doesn’t resolve vulnerabilities or remove the need for security measures. Security.txt is communication protocol, not a technical security solution.

Is security.txt mandatory or optional?

Security.txt is on the 'use-or-explain' list maintained by the Forum for Standardisation, meaning that government organisations in the Netherlands must support it. For other organisations, it’s optional. However, security.txt support is regarded as best practice for modern internet standards.

Security and abuse

Can security.txt actually bring extra risk?

A security.txt file contains only contact info and policy references. It doesn’t directly increase your attack surface. You may see an upturn in e-mail traffic, however.

Will a security.txt file attract unwanted attention?

Research has shown that organisations without security.txt files are also scanned and probed for vulnerabilities. Security.txt simply makes it clear how vulnerabilities can be responsibly disclosed.

How do we prevent spam or abuse of our security.txt contact address?

It's best to use a dedicated e-mail address for vulnerability reports. Set up filters on the mailbox, and make sure it’s actively monitored. Consider creating a web form as well.

Relationship to other standards

How does security.txt relate to responsible disclosure policy?

Your security.txt file can point to your responsible disclosure policy, but isn’t a replacement for a policy. The file is a technical point of entry, while your disclosure policy explains what practical arrangements you have made.

Is security.txt similar to robots.txt?

Both files have to be placed at a standard location, and both give instructions for outsiders. Robots.txt is for search engines, while security.txt is for vulnerability reporting.

Can your security.txt file point to a bug bounty platform?

Yes. You can give the address of a bug bounty programme or disclosure platform in the Contact field or Policy field. A bug bounty is optional and separate from the standard itself.