A standard allowing organizations to nominate security contact points and policies via DNS TXT records.
This proposal was first made public on March 25, 2021 and is currently a draft. We welcome comments and feedback! To make suggestions please submit a PR via Github or submit a ticket. Thanks for your interest!
Find us on Twitter: https://twitter.com/dnssecuritytxt.
When people find security issues in Internet-facing systems, the correct channel to report security issues isn’t always clear. The relevant vulnerability reporting and disclosure policy for the system isn’t always apparent. The DNS Security TXT standard extends the work done by security.txt to simplify answering this question by taking advantage of DNS, arguably the most ubiquitous system on the Internet.
When deployed, it provides security researchers, Internauts, and concerned Internet citizens with clear and authoritative direction towards the correct channels for reporting security issues and the governing policies set out by an organization for all systems under a domain.

It is common practice to use DNS TXT to establish authorization from a domain. A typical example is when a company shows domain ownership to a third-party SaaS platform by placing a TXT record in their DNS zone.
DNS records speak on behalf of the organization and not just an individual server or application owner. Pairing security reporting and policy information with the authoritative nature of DNS creates confidence in the information provided.
This attribute of DNS TXT records makes them a suitable place to publish clear instructions about where security issues should be sent and where the organization’s security policy can be found. A DNS Security TXT record does not itself authorize testing; authorization or safe-harbor terms must be stated explicitly in the linked policy.
Management of DNS records is centralized, making these records simple to deploy, update, maintain, and remove if required. It also eliminates reliance on individual owners to deploy and maintain separate files.
DNS is core to the Internet’s operation, and interrogating DNS is a fundamental footprinting activity in penetration tests, automated scans, and free-form security research, meaning the correct contact details and policy information are less likely to be missed.
Z suffix and must be in the future when published.2027-01-01T00:00:00ZThe proposed IETF specification defines _security.example.com as the sole normative owner name. This follows the underscored-name convention in RFC 8552, avoids collisions with unrelated apex TXT records, and permits an explicit IANA registration. Clients query _security.example.com; they do not automatically fall back to the apex or walk toward the DNS root. Per-host HTTP details can continue to live in that host’s /.well-known/security.txt file under RFC 9116.
Pros:
Cons:
| Description | Domain | Type | Content |
|---|---|---|---|
| Direct email reporting contact | _security.example.com | TXT | “security_contact=mailto:[email protected]” |
| Direct web form reporting contact | _security.example.com | TXT | “security_contact=https://example.com/report-security-issue” |
| 3rd party web form reporting contact | _security.example.com | TXT | “security_contact=https://bugcrowd.com/domain/report” |
| Direct policy URL | _security.example.com | TXT | “security_policy=https://example.com/security-policy” |
| 3rd party web form reporting URL | _security.example.com | TXT | “security_policy=https://bugcrowd.com/domain” |
| Expiration timestamp | _security.example.com | TXT | “security_expires=2027-01-01T00:00:00Z” |
The 2021 proposal allowed apex records as a discovery fallback. The proposed IETF specification removes that behavior because apex TXT RRsets commonly contain unrelated protocols and do not provide explicit scoping. Existing operators should add security_expires, copy all DNS Security TXT records to _security, and remove the apex copies after an appropriate transition period. Clients may offer an explicitly labeled legacy mode, but it should not be enabled by default.
Is this a replacement for security.txt?
Why is security_expires required?
Is this giving anyone permission to hack my organization?
Can I deploy this on a subdomain?
Who in my organization do I need to engage with to get these records in place?
Will adding an email address expose me to spam bots?
How do I put these entries into my DNS?
Created with <3 by John Carroll and Casey Ellis for The disclose.io Project.