Been in or around tech my whole life and this is the first time I've heard of security.txt. This article is trying to shame or something over what even <a href="https://securitytxt.org/" rel="nofollow">https://securitytxt.org/</a> is calling "A proposed standard..."?
I want to start off with that I do think the goal of this RFC is a laudable one, and anything that follows shouldn't be taken as a damnation of it. If you are on the fence if you should implement security.txt just do it.<p>This article is a large nothing burger. "I sampled 50 companies, most of which are on the internet because they have to be, and most didn't implement an IETF comment". If these were mostly tech focused companies, or heck security companies, sure it would make sense to shame them, but if there is a vulnerability in Ford's website I would bet the impact is quite low.
Hell this is so poorly thought out I want to go try it on the top 100 websites by volume and maybe try and find a top 100 tech websites.
Meh. Well known records (robots.txt, everything under .well-known/, etc) are meant to be used by automated systems IMO. The only automated system that would ever use this is email harvesters.<p>You can find our security contact in the whois record for our domain, or through the "vulnerability reporting" link in the footer of our homepage. Good enough.