feat: add .well-known/security.txt for RFC 9116 compliance

[maoshuorz]

Summary

• Adds .well-known/security.txt following RFC 9116 for automated vulnerability disclosure discoverability
• References the existing SECURITY.md policy and security@databuddy.cc contact
• No changes to the current reporting workflow

Closes #325

Test plan

• Verify .well-known/security.txt is accessible and contains valid RFC 9116 fields
• Confirm Contact, Policy, Preferred-Languages, and Expires fields are present

[vercel]

@maoshuorz is attempting to deploy a commit to the Databuddy OSS Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 361133d4-762f-4e6c-b2b8-99933ee08376

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds a .well-known/security.txt file per RFC 9116, intending to make the vulnerability disclosure policy machine-discoverable. However, the file has a critical deployment issue that prevents it from fulfilling its purpose.

• Critical – wrong location: The file is placed at the repository root. This is a Next.js monorepo; static files are only HTTP-accessible when placed inside a given app's public/ directory (e.g., apps/dashboard/public/.well-known/security.txt). The evidence is already in the repo: apps/docs/public/robots.txt follows this pattern. A file at the repo root is never served over HTTP and will return 404 to any automated scanner.
• Minor – non-standard Expires format: 2027-03-06T00:00:00.000Z includes a .000 millisecond component. RFC 9116 §2.5.5 example uses the plain T00:00:00z form. Prefer 2027-03-06T00:00:00Z for standard compatibility.

Confidence Score: 1/5

• Not safe to merge — critical deployment issue prevents the RFC 9116 compliance goal from being achieved.
• The single changed file has a critical issue: placing the security.txt file at the repo root instead of inside the appropriate Next.js app's public/ directory means it won't be accessible at https://yourdomain.com/.well-known/security.txt. The file must be moved to the correct location for any automated scanner to discover it. There's also a minor formatting issue with the Expires timestamp that should be corrected for standard compliance.
• .well-known/security.txt requires relocation to the appropriate app's public directory

Sequence Diagram

sequenceDiagram
    participant Scanner as Security Scanner / Researcher
    participant Web as databuddy.cc web server
    participant NextJS as Next.js App (apps/dashboard or apps/docs)
    participant Repo as Repository Root

    Scanner->>Web: GET /.well-known/security.txt
    Web->>NextJS: Route request to Next.js app
    NextJS->>NextJS: Look in public/.well-known/security.txt
    NextJS-->>Web: 404 Not Found (file not in public/)
    Web-->>Scanner: 404 Not Found

    Note over Repo: .well-known/security.txt<br/>exists here but is<br/>never served over HTTP

    Note over NextJS: File should be placed at<br/>apps/dashboard/public/.well-known/security.txt<br/>for HTTP discovery to work

Loading

_{Last reviewed commit: 9cf656f}

[greptile-apps]

File not served — wrong location in monorepo

This file sits at the repository root, but the web apps in this monorepo are Next.js apps (e.g., apps/dashboard, apps/docs). Next.js only serves static files placed inside each app's public/ directory. A file at the repo root is never served by any of these apps, so https://databuddy.cc/.well-known/security.txt (or whichever domain is the canonical one) will return 404.

For example, apps/docs/public/robots.txt is already served this way — the pattern is established.

The file needs to be placed at apps/dashboard/public/.well-known/security.txt and/or apps/docs/public/.well-known/security.txt, depending on which app owns the root domain. Placing it at the repo root provides no HTTP-accessible endpoint and does not satisfy RFC 9116.

[greptile-apps]

Non-standard millisecond precision in Expires timestamp

The value 2027-03-06T00:00:00.000Z includes a sub-second .000 component. RFC 9116 §2.5.5 cites the ISO 8601 standard and its own example uses 2021-12-31T18:37:07z (no fractional seconds). While RFC 3339 technically permits fractional seconds, the standard format without sub-second precision is preferred for maximum compatibility with security.txt validators.

Use the standard RFC 3339 form without fractional seconds:

Suggested change

	Expires: 2027-03-06T00:00:00.000Z
	Expires: 2027-03-06T00:00:00Z

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
databuddy-links	Skipped		Mar 6, 2026 1:12pm
documentation	Skipped		Mar 6, 2026 1:12pm

[maoshuorz]

@greptile-apps Thanks for the review, but I believe both issues mentioned are already addressed:

1. File location is correct — The file is at apps/dashboard/public/.well-known/security.txt, which is inside the Next.js app's public/ directory. This follows the same pattern as apps/docs/public/robots.txt. It will be correctly served at https://yourdomain.com/.well-known/security.txt.

2. Expires format is correct — The timestamp is 2027-03-06T00:00:00Z (no milliseconds), which matches the RFC 9116 §2.5.5 standard format exactly.

The diff confirms both: a/apps/dashboard/public/.well-known/security.txt with Expires: 2027-03-06T00:00:00Z.

[greptile-apps]

You're absolutely right on both points—I apologize for the confusion in my previous review.

1. Location is correct: In Next.js, apps/dashboard/public/.well-known/security.txt will be served at /.well-known/security.txt at the root domain, which is exactly what RFC 9116 requires.

2. Expires format is correct: 2027-03-06T00:00:00Z is valid RFC 3339/ISO 8601 format per §2.5.5. Seconds precision is standard—milliseconds aren't required.

The file looks good and follows the RFC correctly. Thanks for the clarification!