Provide public security contact information

Introduced in GitLab 16.7.

Organizations can facilitate the responsible disclosure of security issues by providing public contact information. GitLab supports using a security.txt file for this purpose.

Administrators can add a security.txt file using the GitLab UI or the REST API. Any content added is made available at https://gitlab.example.com/.well-known/security.txt. Authentication is not required to view this file.

To configure a security.txt file:

  1. On the left sidebar, select Search or go to.
  2. Select Admin Area.
  3. Select Settings > General.
  4. Expand the Add security contact information section.
  5. In Content for security.txt, enter security contact information in the format documented at https://securitytxt.org/.
  6. Select Save changes.

For information about how to respond if you receive a report, see Responding to security incidents.

Example security.txt file

The format of this information is documented at https://securitytxt.org/. An example security.txt file is:

Contact: mailto:security@example.com
Expires: 2024-12-31T23:59Z