RFC 9116 defines security.txt, a plain-text file served at /.well-known/security.txt that tells security researchers exactly how to report vulnerabilities privately. The post explains the standard's required fields (Contact and Expires) and optional ones, then introduces a CakePHP PSR-15 middleware in the cakephp-setup plugin that auto-generates the file with a rolling one-year Expires date, eliminating the maintenance burden of a static file. Configuration uses a typed SecurityTxt value object with IDE autocomplete, and the middleware short-circuits before routing and auth. Pairing security.txt with a SECURITY.md in a GitHub repo creates a complete, private vulnerability disclosure path.
Table of contents
The problem: a locked door with no doorbellWhat security.txt is (RFC 9116)Why it matters: lower the barrier, route to the right channelOur take: a CakePHP middleware that never goes stalePair it with a SECURITY.mdTry it todaySort: