diff --git a/apps/main/public/.well-known/README.md b/apps/main/public/.well-known/README.md
index 2b90c7ef40..d0194a3a68 100644
--- a/apps/main/public/.well-known/README.md
+++ b/apps/main/public/.well-known/README.md
@@ -1,4 +1,14 @@
+# Well-Known Directory
+
 ## Wallet Connect Domain Verification
 
 The [walletconnect.txt](./walletconnect.txt) file contains the token used to verify the domain in the wallet connect dashboard.
 This approach only works to validate a single domain at once, however once validated the domain the file is allowed to change.
+
+## Security.txt
+
+The [security.txt](./security.txt) file is used to define security policies and contact information for security researchers.
+It follows the [RFC 9116 standard](https://www.rfc-editor.org/rfc/rfc9116).
+
+The expiration date should be updated periodically to ensure the file remains valid.
+Check the contact information before updating the date to ensure it is still accurate.
diff --git a/apps/main/public/.well-known/security.txt b/apps/main/public/.well-known/security.txt
new file mode 100644
index 0000000000..ba92fd7f90
--- /dev/null
+++ b/apps/main/public/.well-known/security.txt
@@ -0,0 +1,4 @@
+Contact: mailto:security@curve.finance
+Expires: 2026-02-28T23:00:00.000Z
+Preferred-Languages: en
+Canonical: https://www.curve.finance/.well-known/security.txt
diff --git a/apps/main/vite.config.ts b/apps/main/vite.config.ts
index ab8243c456..3bcebbed01 100644
--- a/apps/main/vite.config.ts
+++ b/apps/main/vite.config.ts
@@ -34,6 +34,11 @@ export default defineConfig(({ command }) => ({
         source: '/favicon',
         destination: '/favicon.ico',
       },
+      {
+        source: '/security.txt',
+        destination: '/.well-known/security.txt',
+        statusCode: 308, // Permanent redirect
+      },
       {
         source: '/(.*)',
         destination: '/index.html',