Security.txt Auditor
Pricing
from $0.005 / actor start
Security.txt Auditor
Audit a public website's security.txt vulnerability disclosure metadata. Checks discovery paths, required fields, expiration, contact methods, and returns a readiness score with recommendations.
Pricing
from $0.005 / actor start
Rating
0.0
(0)
Developer
Sanskar Jaiswal
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
a day ago
Last modified
Categories
Share
Security.txt Auditor checks whether a public website publishes vulnerability disclosure metadata using the security.txt convention. It tests the preferred /.well-known/security.txt path first, falls back to /security.txt, parses recognized fields, and returns a readiness score with specific recommendations.
Use cases
- Security teams checking disclosure readiness across owned domains.
- Devops teams validating launch and migration checklists.
- Compliance teams collecting evidence for vulnerability reporting processes.
- Agencies auditing client websites for basic security contact hygiene.
- Developer-tool builders adding security.txt checks to monitoring workflows.
Input
| Field | Type | Required | Description |
|---|---|---|---|
startUrl | string | Yes | Public website URL to audit. HTTP and HTTPS are supported. Private IP ranges and URL credentials are blocked. |
timeoutSeconds | integer | No | Timeout for each HTTP request. Default: 10. Minimum: 3. Maximum: 30. |
Output
Each run pushes one dataset item.
| Field | Type | Description |
|---|---|---|
inputUrl | string | The URL provided as input. |
siteOrigin | string | Normalized website origin checked by the actor. |
found | boolean | Whether a security.txt file was found and parsed. |
fileUrl | string | Security.txt URL that returned a parseable file. Empty when not found. |
status | integer or null | HTTP status of the selected response, or first attempted response when not found. |
contentType | string | Response content type for the selected file. |
score | integer | Readiness score from 0 to 100. |
grade | string | Letter grade: A, B, C, D, or F. |
checkedAt | string | ISO timestamp for the audit. |
fields | object | Parsed security.txt fields keyed by lowercase field name. Values are arrays because fields may repeat. |
unknownFields | array | Field names not recognized by this auditor. |
findings | array | Structured checks with name, status, points, and recommendation. |
recommendations | array | Plain-language fixes for missing or weak items. |
attempts | array | Fetch attempts for /.well-known/security.txt and /security.txt. |
Example input
{"startUrl": "https://example.com","timeoutSeconds": 10}
Example output
{"inputUrl": "https://example.com","siteOrigin": "https://example.com","found": true,"fileUrl": "https://example.com/.well-known/security.txt","status": 200,"contentType": "text/plain","score": 95,"grade": "A","checkedAt": "2026-07-08T00:00:00.000Z","fields": {"contact": ["mailto:security@example.com"],"expires": ["2099-01-01T00:00:00Z"],"canonical": ["https://example.com/.well-known/security.txt"],"policy": ["https://example.com/security-policy"]},"unknownFields": [],"findings": [{ "name": "File found", "status": "pass", "points": 20, "recommendation": null },{ "name": "Preferred path", "status": "pass", "points": 15, "recommendation": null }],"recommendations": [],"attempts": [{ "url": "https://example.com/.well-known/security.txt", "status": 200, "ok": true, "error": null }]}
Security
The actor only fetches public HTTP and HTTPS URLs. It rejects URL credentials, private IPv4 literals, private IPv6 literals, and hostnames that resolve to private IP ranges. Redirects are followed manually and revalidated before each follow-up request. Response bodies are capped before parsing.
Pricing
Suggested pay-per-event pricing:
| Event | Price |
|---|---|
| Actor start | $0.005 |
| Website audited | $0.01 |
This keeps one-domain checks inexpensive while charging proportionally for successful dataset results.
FAQ
Does this actor verify that an email inbox works?
No. It parses the published security.txt file and checks whether Contact values are present and use common forms such as mailto: or HTTPS URLs. It does not send emails or submit forms.
Which paths are checked?
The actor checks /.well-known/security.txt first, then /security.txt as a fallback.
Does it require login or credentials?
No. It only audits public unauthenticated website paths.
What keep metric should be used?
Keep or improve this actor if it receives organic Store impressions, runs, revenue, or inbound questions within 60 to 90 days. Archive it if there is no discovery and no usage.