Public Security.txt Readiness Agent

Pricing

Rating

Developer

Actor stats

Categories

Share

Check whether public websites publish a usable security.txt vulnerability disclosure file.

This Actor checks the standard public locations only:

• /.well-known/security.txt
• /security.txt

It parses evidence from the file and returns a compact readiness record. It is not a vulnerability scanner, penetration test, bug bounty crawler, security header auditor, or compliance certification tool.

What It Extracts

• contact methods
• expiry date and expiry status
• canonical URLs and canonical match status
• policy, encryption, acknowledgments, preferred language, and hiring fields
• unknown fields and invalid lines
• risk labels and recommended next action
• stable securityTxtHash for unchanged-result suppression

Input

{
"siteUrls":[
"https://www.atlassian.com/"
],
"previousSecurityTxtRecords":[],
"checkLegacyPath":true,
"strictRfcMode":true,
"requestTimeoutSecs":15
}

Pricing

apify-default-dataset-item is intentionally not used.

Only new or changed records with recognized public security.txt evidence charge useful-security-txt-readiness-result. Missing files, failed fetches, duplicate inputs, unchanged records, and unsafe inputs are written without the useful event.

Safety

• public HTTP/HTTPS site URLs only
• private-network and .local hosts rejected
• query strings, fragments, credentials, and path parameters rejected
• token-like account paths redacted/rejected
• only same-site security.txt candidate paths are fetched
• linked contact, policy, canonical, and encryption URLs are recorded but not fetched