diff --git a/cmd/csaf_aggregator/config.go b/cmd/csaf_aggregator/config.go
index 555ef74..e08ee52 100644
--- a/cmd/csaf_aggregator/config.go
+++ b/cmd/csaf_aggregator/config.go
@@ -41,6 +41,7 @@ type provider struct {
 	Categories *[]string `toml:"categories"`
 	// ServiceDocument incidates if we should create a service.json document.
 	ServiceDocument *bool `toml:"create_service_document"`
+	WriteIndices    *bool `toml:"write_indices"`
 }
 
 type config struct {
@@ -54,6 +55,7 @@ type config struct {
 	Rate                *float64            `toml:"rate"`
 	Insecure            *bool               `toml:"insecure"`
 	Categories          *[]string           `toml:"categories"`
+	WriteIndices        bool                `toml:"write_indices"`
 	Aggregator          csaf.AggregatorInfo `toml:"aggregator"`
 	Providers           []*provider         `toml:"providers"`
 	OpenPGPPrivateKey   string              `toml:"openpgp_private_key"`
@@ -91,6 +93,14 @@ func (p *provider) serviceDocument(c *config) bool {
 	return c.ServiceDocument
 }
 
+// writeIndices tells if we should write index.txt and changes.csv.
+func (p *provider) writeIndices(c *config) bool {
+	if p.WriteIndices != nil {
+		return *p.WriteIndices
+	}
+	return c.WriteIndices
+}
+
 // runAsMirror determines if the aggregator should run in mirror mode.
 func (c *config) runAsMirror() bool {
 	return c.Aggregator.Category != nil &&
diff --git a/cmd/csaf_aggregator/indices.go b/cmd/csaf_aggregator/indices.go
index daac073..9cc5a69 100644
--- a/cmd/csaf_aggregator/indices.go
+++ b/cmd/csaf_aggregator/indices.go
@@ -299,11 +299,14 @@ func (w *worker) writeIndices() error {
 		if err := w.writeInterims(label, summaries); err != nil {
 			return err
 		}
-		if err := w.writeCSV(label, summaries); err != nil {
-			return err
-		}
-		if err := w.writeIndex(label, summaries); err != nil {
-			return err
+		// Only write index.txt and changes.csv if configured.
+		if w.provider.writeIndices(w.processor.cfg) {
+			if err := w.writeCSV(label, summaries); err != nil {
+				return err
+			}
+			if err := w.writeIndex(label, summaries); err != nil {
+				return err
+			}
 		}
 		if err := w.writeROLIE(label, summaries); err != nil {
 			return err
diff --git a/cmd/csaf_provider/actions.go b/cmd/csaf_provider/actions.go
index 486cfd7..ab6c814 100644
--- a/cmd/csaf_provider/actions.go
+++ b/cmd/csaf_provider/actions.go
@@ -261,11 +261,14 @@ func (c *controller) upload(r *http.Request) (interface{}, error) {
 				return err
 			}
 
-			if err := updateIndices(
-				folder, filepath.Join(year, newCSAF),
-				ex.CurrentReleaseDate,
-			); err != nil {
-				return err
+			// Only write index.txt and changes.csv if configured.
+			if c.cfg.WriteIndices {
+				if err := updateIndices(
+					folder, filepath.Join(year, newCSAF),
+					ex.CurrentReleaseDate,
+				); err != nil {
+					return err
+				}
 			}
 
 			// Take over publisher
diff --git a/cmd/csaf_provider/config.go b/cmd/csaf_provider/config.go
index e33594a..ad008df 100644
--- a/cmd/csaf_provider/config.go
+++ b/cmd/csaf_provider/config.go
@@ -58,6 +58,8 @@ type config struct {
 	RemoteValidator         *csaf.RemoteValidatorOptions `toml:"remote_validator"`
 	Categories              *[]string                    `toml:"categories"`
 	ServiceDocument         bool                         `toml:"create_service_document"`
+	WriteIndices            bool                         `toml:"write_indices"`
+	WriteSecurity           bool                         `toml:"write_security"`
 }
 
 func (pmdc *providerMetadataConfig) apply(pmd *csaf.ProviderMetadata) {
diff --git a/cmd/csaf_provider/create.go b/cmd/csaf_provider/create.go
index 9bd12e9..d4b493c 100644
--- a/cmd/csaf_provider/create.go
+++ b/cmd/csaf_provider/create.go
@@ -43,7 +43,13 @@ func ensureFolders(c *config) error {
 		}
 	}
 
-	return setupSecurity(c, wellknown)
+	// Only write/modify security.txt if configured.
+	if c.WriteSecurity {
+		if err := setupSecurity(c, wellknown); err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 // createWellknown creates ".well-known" directory if not exist and returns nil.
diff --git a/docs/csaf_aggregator.md b/docs/csaf_aggregator.md
index ad8bf07..2a6d009 100644
--- a/docs/csaf_aggregator.md
+++ b/docs/csaf_aggregator.md
@@ -78,8 +78,7 @@ web                   // directory to be served by the webserver
 domain                // base url where the contents will be reachable from outside
 rate                  // overall downloading limit per worker
 insecure              // do not check validity of TLS certificates
-aggregator            // table with basic infos for the aggregator object
-providers             // array of tables, each entry to be mirrored or listed
+write_indices         // write index.txt and changes.csv
 openpgp_private_key   // OpenPGP private key
 openpgp_public_key    // OpenPGP public key
 passphrase            // passphrase of the OpenPGP key
@@ -88,6 +87,8 @@ interim_years         // limiting the years for which interim documents are sear
 verbose               // print more diagnostic output, e.g. https request
 allow_single_provider // debugging option
 remote_validator      // use remote validation checker
+aggregator            // table with basic infos for the aggregator object
+providers             // array of tables, each entry to be mirrored or listed
 ```
 
 Rates are specified as floats in HTTPS operations per second.
@@ -99,6 +100,7 @@ name
 domain
 rate
 insecure
+write_indices
 ```
 
 #### Example config file
@@ -112,6 +114,13 @@ web = "/var/csaf_aggregator/html"
 domain = "https://localhost:9443"
 rate = 10.0
 insecure = true
+#key =
+#passphrase =
+#write_indices = false
+
+# specification requires at least two providers (default),
+# to override for testing, enable:
+# allow_single_provider = true
 
 [aggregator]
   category = "aggregator"
@@ -131,12 +140,6 @@ insecure = true
   domain = "localhost"
 #  rate = 1.2
 #  insecure = true
-
-#key =
-#passphrase =
-
-# specification requires at least two providers (default),
-# to override for testing, enable:
-# allow_single_provider = true
+  write_indices = true
 ```
 <!-- MARKDOWN-AUTO-DOCS:END -->
diff --git a/docs/csaf_provider.md b/docs/csaf_provider.md
index 134d894..1cac140 100644
--- a/docs/csaf_provider.md
+++ b/docs/csaf_provider.md
@@ -21,6 +21,8 @@ Following options are supported in the config file:
  - dynamic_provider_metadata: Take the publisher from the CSAF document. Default: `false`.
  - upload_limit: Set the upload limit size of a file in bytes. Default: `52428800` (aka 50 MiB).
  - issuer: The issuer of the CA, which if set, restricts the writing permission and the accessing to the web-interface to only the client certificates signed with this CA.
+ - write_indices: Write/update `index.txt` and `changes.csv`. Default: false
+ - write_security: Write `CSAF:` entry into `security.txt`: Default: false
  - tlps: Set the allowed TLP comming with the upload request (one or more of "csaf", "white", "amber", "green", "red").
    The "csaf" selection lets the provider takes the value from the CSAF document.
    These affects the list items in the web interface.
diff --git a/docs/examples/aggregator.toml b/docs/examples/aggregator.toml
index 35e36f1..638c104 100644
--- a/docs/examples/aggregator.toml
+++ b/docs/examples/aggregator.toml
@@ -5,6 +5,13 @@ web = "/var/csaf_aggregator/html"
 domain = "https://localhost:9443"
 rate = 10.0
 insecure = true
+#key =
+#passphrase =
+#write_indices = false
+
+# specification requires at least two providers (default),
+# to override for testing, enable:
+# allow_single_provider = true
 
 [aggregator]
   category = "aggregator"
@@ -24,11 +31,4 @@ insecure = true
   domain = "localhost"
 #  rate = 1.2
 #  insecure = true
-
-#key =
-#passphrase =
-
-# specification requires at least two providers (default),
-# to override for testing, enable:
-# allow_single_provider = true
-
+  write_indices = true