> It seems that setting up a security.txt file tends to invite a rather high volume of spam. Most of these junk emails come from self-appointed penetration testers who — without any invitation to do so — run automated vulnerability discovery tools and then submit the resulting reports in hopes of securing a consulting engagement or a bug bounty fee.<p>Yep, I have a friend who just set hers up; she said within days she had received several emails that seemed more like threats than disclosures or offers to disclose. Worse yet, maybe for all parties, the wording was on the "way too diplomatic" side and this led to a loss of trust.<p>Prior to this situation she said her favorite reports involved <a href="https://www.openbugbounty.org/" rel="nofollow">https://www.openbugbounty.org/</a> and friendly advice on how to resolve the issue.