WarDek is a complete compliance suite that combines an OWASP vulnerability scanner with NIS2, AI Act and GDPR compliance modules, specially designed for European SMEs.

Is my company subject to NIS2?

The NIS2 directive applies to essential and important entities in sectors such as energy, healthcare, transport, digital, etc. Use our free simulator to check.

How should I use WarDek reports in an audit?

WarDek reports provide a practical working base for your team, auditor, or compliance preparation. They are not an official certification or legal opinion.

How long does a scan take?

A complete OWASP scan typically takes between 2 and 5 minutes depending on the complexity of your website.

Absolutely. We never store your credentials. Reports are encrypted and you can delete them at any time. We are hosted in France.

Can I try before I buy?

Yes! The Free plan lets you test WarDek with 3 scans per month, no credit card required.

Where should security.txt be published?

Publish it at /.well-known/security.txt on your public website so automated tools and researchers can discover it predictably.

Do I need a bug bounty program to use security.txt?

No. security.txt is useful even without financial rewards. It provides a clear route for responsible disclosure and sets expectations for communication.

How often should I update the file?

Review it whenever ownership, reporting channels, or policy pages change, and refresh the expiration date on a regular schedule so the file stays credible.

Should legal teams review the disclosure policy?

Yes. Legal, product, and technical owners should align on response expectations, safe-harbor language, and out-of-scope boundaries before publication.

security.txt Guide — Vulnerability Disclosure for Websites

Why a security.txt file matters

When a researcher, customer, partner, or automated system detects a possible vulnerability on your website, the hardest part is often not the bug itself. It is knowing where to report it without wasting days in generic support inboxes or public social posts. security.txt solves that discovery problem with a simple, standardized entry point.

For SMEs, this is not only about looking mature. It is about reducing disclosure friction. The faster legitimate reporters can reach the right contact, the more likely you are to resolve issues privately, document decisions, and avoid chaotic handling when the finding is real.

A public disclosure entry point also signals something important internally: security reports are expected, triaged, and owned. That mindset is healthier than pretending reports will never arrive or that support can improvise a secure process under pressure.

What a minimal security.txt should contain

The file is intentionally simple. Publish it at /.well-known/security.txt and keep the contents readable for humans and machines. You do not need a large bug bounty program to benefit from it. You need clear contact information, scope expectations, and a maintained process behind it.

Contact: a monitored email address or secure reporting channel owned by people who can route security findings quickly.
Expires: a date proving the file is maintained and not abandoned.
Policy: a page describing how you handle reports, expected response windows, and basic safe-harbor language if you provide it.
Preferred-Languages: optional, useful when your operator team works primarily in French or English.
Acknowledgments or Hiring fields: optional, only if they reflect a real maintained process.

How to operationalize disclosure handling

Publishing the file is the easy part. The real work is making sure reports do not disappear in a mailbox. Someone needs to own intake, validate severity, request reproduction steps, assign remediation, and close the loop with the reporter when appropriate.

This is where many companies fail. They add a security.txt file for optics, but the address routes to a shared inbox nobody monitors, or to a legal team that does not know what to do with technical reports. If you cannot respond responsibly, keep the scope simple and document realistic response expectations.

Tie disclosure handling to your existing incident and vulnerability management process. Even a small team can run a lightweight workflow: intake, triage, assign, fix, validate, and archive evidence. WarDek's reliability-first posture fits this well because the product is built around proof, remediation context, and auditable decision-making rather than vague alerts.

Implementation steps for a production website

First, publish the file on your canonical domain and confirm it is reachable without redirects or content-type surprises. Then mirror the same disclosure policy on a human-readable page if you want to explain response expectations in more detail.

Second, test the contact workflow end to end. Send a sample report, confirm the right people receive it, and define who decides whether a finding is valid, duplicate, out of scope, or urgent. Security.txt is only useful if the operational path behind it works.

Third, maintain it. An expired file or dead mailbox is worse than no file because it creates false confidence. Put renewal and ownership checks on the same cadence as other trust surfaces such as TLS, privacy pages, and compliance documents.

Mistakes that weaken trust

Do not publish a disclosure contact that sends auto-replies and nothing else. Do not promise a bug bounty if none exists. Do not copy a safe-harbor statement from a large platform if your legal and technical teams have never agreed on how external testing should be handled.

Also avoid treating security.txt as a compliance checkbox. Its value is practical: it shortens the path between discovery and responsible handling. When linked to a real process, it strengthens trust with researchers, customers, and internal operators alike.