Most IT companies fail to serve security.txt for RFC 9116 in 2025

Been in or around tech my whole life and this is the first time I&#x27;ve heard of security.txt. This article is trying to shame or something over what even <a href="https:&#x2F;&#x2F;securitytxt.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;securitytxt.org&#x2F;</a> is calling &quot;A proposed standard...&quot;?

I really don’t get why you would want to serve security.txt, it just invites an avalanche of automated spam.

Are these all IT companies? Mazda and Marantz certainly don&#x27;t seem like they&#x27;re IT companies.

I want to start off with that I do think the goal of this RFC is a laudable one, and anything that follows shouldn&#x27;t be taken as a damnation of it. If you are on the fence if you should implement security.txt just do it.<p>This article is a large nothing burger. &quot;I sampled 50 companies, most of which are on the internet because they have to be, and most didn&#x27;t implement an IETF comment&quot;. If these were mostly tech focused companies, or heck security companies, sure it would make sense to shame them, but if there is a vulnerability in Ford&#x27;s website I would bet the impact is quite low. Hell this is so poorly thought out I want to go try it on the top 100 websites by volume and maybe try and find a top 100 tech websites.

Meh. Well known records (robots.txt, everything under .well-known&#x2F;, etc) are meant to be used by automated systems IMO. The only automated system that would ever use this is email harvesters.<p>You can find our security contact in the whois record for our domain, or through the &quot;vulnerability reporting&quot; link in the footer of our homepage. Good enough.