Security > Security.txt

For more information about changing these configuration settings, see Security issue reporting.

To access the store configuration settings, choose Stores > Settings > Configuration from the Admin sidebar.

General

General

Field
Scope
Description
Enable
Website
When enabled, a security.txt file is saved that contains information that is needed by security researchers to report potential vulnerabilities to you. Options:
Yes - Creates the security.txt file based on information entered in the Contact information and Other information sections.
No - (default) Does not create the security.txt file.

Contact information

Contact information

Field
Scope
Description
Email
Website
The email address where security reports can be sent.
Phone
Website
A phone number that can be used to report security concerns.
Contact Page
Website
The URL of a page on your site that lists security contacts, or your Contact Us page. Examples:
https://mystore.com/security-contact.html
https://mystore.com/contact/

Other information

Other information

Field
Scope
Description
Encryption
Website
A URL that points to the location of an encryption key that security researchers can use to send encrypted communications. Do not enter the encryption key in this field.

It is the responsibility of the researcher to verify that the key is from a trustworthy source. Researchers must not assume that the key is the same as that used to generate the digital signature. Example:
OpenPGP key from web server - https://mystore.com/pgp-key.txt
Acknowledgments
Website
A URL that points to a page in your store where security researchers are acknowledged, such ashttps://mystore.com/hall-of-fame.html. To prevent future attacks, include only a general description without revealing specific information about vulnerability issues. Example:
We would like to thank the following researchers:
(yyyy/mm/dd) Justin Thyme - SQL injection
Preferred Languages
Website
Specifies at least one preferred security reporting language. Separate multiple two-character language codes with a comma. All specified languages have the same priority. For example, to specify English, Spanish, and French, enter en, es, fr.
Hiring
Website
The URL of a page on the site that lists security-related job positions. Example: https://mystore.com/jobs.html
Policy
Website
The URL of the page that describes your security policy and vulnerability reporting practices. Example: https://mystore.com/security-reporting.html Default: https://mystore.com/security
Signature
Website
A link to your digital signature file. The digital signature must be generated from the command line, and is saved in the .well-known folder on the server. For more information, see Security.txt on GitHub. Example: https://mystore.com/.well-known/security.txt.sig
recommendation-more-help
d39aca6f-58a0-41c6-83eb-39fd0ef30672