Add /.well-known/security.txt for vulnerability disclosure contact

[BankkRoll]

tanstack.com has no /.well-known/security.txt. Adding one gives security researchers (and automated tooling) a single, discoverable place to find how to report a vulnerability. This is especially relevant given the recent ecosystem-wide false-positive malware-flagging wave that affected several widely trusted packages, including a TanStack package.

Context: https://x.com/tan_stack/status/2059299881446228347

Why this helps

• Standard discovery path. RFC 9116 (https://www.rfc-editor.org/rfc/rfc9116) defines /.well-known/security.txt as the canonical location researchers check first.
• AI/automated tooling checks it. Most security scanners and AI testing agents auto-fetch security.txt to find the right contact before reaching out. No file means reports get sent to random emails, social media, or nowhere.
• Faster, cleaner triage. A clear Contact and Policy gets real reports to the right people quickly and cuts noise.

Proposed implementation

Since the site runs on TanStack Start, security.txt is served via a server route (matching the existing .well-known/oauth-authorization-server convention) rather than a static file, so the RFC-required Expires field is computed one year out at request time and never goes stale. Paired with a SECURITY.md that enables GitHub's built-in "Report a vulnerability" flow.

src/routes/[.]well-known/security[.]txt.ts

import { createFileRoute } from '@tanstack/react-router'
import { setResponseHeader } from '@tanstack/react-start/server'
import { env } from '~/utils/env'

// security.txt (RFC 9116): tells security researchers and automated
// scanners where to report vulnerabilities. The Expires field is required
// by the spec, so we compute it one year out at request time and keep the
// file fresh without anyone having to remember to bump a hard-coded date.
export const Route = createFileRoute('/.well-known/security.txt')({
  server: {
    handlers: {
      GET: async ({ request }: { request: Request }) => {
        const origin = env.SITE_URL || new URL(request.url).origin

        const expires = new Date()
        expires.setFullYear(expires.getFullYear() + 1)

        const lines = [
          '# TanStack security policy: https://github.com/TanStack/tanstack.com/blob/main/SECURITY.md',
          '',
          'Contact: https://github.com/TanStack/tanstack.com/security/advisories/new',
          'Contact: mailto:security@tanstack.com',
          'Contact: mailto:support@tanstack.com',
          `Expires: ${expires.toISOString().slice(0, 19)}Z`,
          `Canonical: ${origin}/.well-known/security.txt`,
          'Policy: https://github.com/TanStack/tanstack.com/blob/main/SECURITY.md',
          `Acknowledgments: ${origin}/blog/npm-supply-chain-compromise-postmortem`,
          'Preferred-Languages: en',
        ]

        setResponseHeader('Content-Type', 'text/plain; charset=utf-8')
        setResponseHeader('Cache-Control', 'public, max-age=3600')
        setResponseHeader('Access-Control-Allow-Origin', '*')

        return new Response(lines.join('\n') + '\n')
      },
    },
  },
})

SECURITY.md

# Security Policy

We take the security of TanStack and everyone who depends on it seriously. Thank you for taking the time to report responsibly, it genuinely helps.

## Reporting a Vulnerability

**Please do not open a public issue, pull request, or discussion for security problems.** Public reports give attackers a head start before a fix is out.

Instead, use one of these private channels:

1. **GitHub Security Advisories (preferred):** open a private report at
   https://github.com/TanStack/tanstack.com/security/advisories/new
   This keeps the discussion private and lets us collaborate on a fix and a coordinated disclosure.
2. **Email:** security@tanstack.com, or support@tanstack.com if you don't get a response.

If a vulnerability affects a specific TanStack library rather than this website, please report it on that library's repository under the TanStack organization (https://github.com/TanStack) using the same private-advisory flow.

## What to Include

To help us triage quickly, please include as much of the following as you can:

- A description of the issue and its potential impact.
- Steps to reproduce, or a proof of concept.
- The affected version, URL, package, or commit.
- Any suggested remediation, if you have one.

## Our Commitment

- We'll acknowledge your report as soon as we can after receiving it.
- We'll keep you updated as we investigate and work on a fix.
- We'll credit you in the advisory once the issue is resolved, unless you'd prefer to remain anonymous.

Please give us a reasonable window to release a fix before any public disclosure. We're happy to coordinate timing with you.

## Scope

This policy covers the tanstack.com website and this repository. For the libraries in the TanStack ecosystem, see their respective repositories under https://github.com/TanStack

A machine-readable version of our contact details is published at
https://tanstack.com/.well-known/security.txt per RFC 9116 (https://www.rfc-editor.org/rfc/rfc9116).

## Prior Disclosures

For an example of how we handle and communicate security incidents, see our
npm supply-chain compromise postmortem: https://tanstack.com/blog/npm-supply-chain-compromise-postmortem

Note: the mailto: addresses (security@tanstack.com / support@tanstack.com) are suggestions, please confirm those inboxes exist, or drop them and rely on the GitHub Advisory link. Same for the Acknowledgments blog URL, swap it if the postmortem lives elsewhere.

Reference branch / commit

I drafted this but couldn't open a PR directly (repo is collaborator-only):

• Branch: https://github.com/BankkRoll/tanstack.com/tree/add-security-txt
• Commit: BankkRoll@12bf50f

Happy to open a PR if a maintainer enables it, or you can cherry-pick the branch.