Despite being a simple, beneficial, and standardized way for security researchers to report vulnerabilities, adoption of security.txt files (as defined by RFC 9116) remains disappointingly low. A 2025 study by Hartwork found that the vast majority of IT companies, including many prominent names, still do not provide a security.txt file on their websites. This lack of adoption hinders responsible vulnerability disclosure and potentially leaves these organizations more susceptible to exploitation, as researchers lack clear reporting channels. The study emphasizes the continued need for greater awareness and adoption of this straightforward security best practice.
In a blog post titled "Most IT companies fail to serve security.txt for RFC 9116 in 2025," published on hartwork.org, the author laments the surprisingly low adoption rate of the security.txt standard, a simple yet effective method for improving vulnerability disclosure processes. RFC 9116, which formally specifies this standard, outlines how organizations should provide a plaintext file named security.txt at a well-known location (/.well-known/security.txt) on their website. This file contains essential contact information for security researchers and ethical hackers to report potential vulnerabilities. Despite being a straightforward and beneficial practice, the author's research indicates a dismal adoption rate even among prominent IT companies.
The blog post details the author's methodology, which involved scanning the top 100 publicly traded IT companies listed on the NASDAQ stock exchange. They checked for the presence of a valid security.txt file at the standardized location. The results revealed a disappointingly low adoption rate, with a significant majority of these companies failing to implement this basic security measure. This lack of adoption hinders responsible vulnerability disclosure, potentially leaving these organizations more susceptible to exploitation.
The author emphasizes the simplicity and importance of implementing security.txt. It requires minimal effort to create and deploy the file, yet it provides a clear and standardized communication channel for security researchers. This facilitates the responsible reporting of vulnerabilities, allowing companies to address potential security flaws before they can be exploited by malicious actors. The low adoption rate, therefore, represents a missed opportunity for these companies to enhance their security posture and protect themselves from potential attacks.
The blog post concludes with a renewed call to action, urging organizations to embrace the security.txt standard. By implementing this simple measure, companies can significantly improve their vulnerability management processes, foster better relationships with the security research community, and ultimately strengthen their overall security. The author stresses that the minimal effort required to deploy a security.txt file is far outweighed by the potential benefits in terms of improved security and reduced risk. The continued lack of widespread adoption, even years after the standardization through RFC 9116, is presented as a concerning trend within the cybersecurity landscape.
Summary of Comments ( 1 )
https://news.ycombinator.com/item?id=43235972
Hacker News users generally agreed with the premise that security.txt adoption is disappointingly low, with several expressing frustration at the security industry's failure to implement basic best practices. Some commenters pointed out that even security-focused companies often lack a security.txt file, highlighting a general apathy or ignorance towards the standard. Others discussed the potential downsides of security.txt, such as increased exposure to automated vulnerability scanning and the possibility of it becoming a target for social engineering attacks. A few suggested that the lack of adoption might stem from the perceived lack of clear benefits or fear of legal repercussions for disclosed vulnerabilities. The overall sentiment reflects a concern for the slow uptake of a seemingly simple yet beneficial security measure.
The Hacker News post titled "Most IT companies fail to serve security.txt for RFC 9116 in 2025" generated a moderate number of comments discussing the adoption (or lack thereof) of the security.txt standard. Several commenters expressed a general sentiment of disappointment and frustration with the slow uptake of such a simple, yet beneficial, security practice.
One compelling line of discussion revolved around the practical challenges and perceived lack of incentives for companies to implement security.txt. Some argued that security researchers often find vulnerabilities through means other than those advertised in a security.txt file, therefore diminishing its perceived value for companies. Others countered this point by highlighting the importance of providing a clear and official channel for reporting vulnerabilities, regardless of how they are discovered. This, they argued, can help streamline the vulnerability disclosure process and prevent researchers from resorting to less secure or less desirable methods of contact.
Another commenter pointed out that the absence of security.txt often leads to wasted time and effort for security researchers who have to resort to searching for contact information through various channels, potentially leading to delayed vulnerability disclosures. This reinforces the argument that security.txt benefits both the reporting party and the receiving organization.
The issue of discoverability also arose, with some commenters questioning how effective security.txt is if search engines aren't indexing it reliably. This raised concerns about the practical utility of the standard if it's not easily findable by those who need it.
Finally, a few comments touched upon the potential legal implications of not having a security.txt file, suggesting that in the future, its absence might be considered negligent, especially in regulated industries. This adds another layer of incentive for companies to adopt the standard, moving beyond best practice and towards a potential legal requirement.
While no single comment was overwhelmingly compelling in isolation, the collective discussion painted a picture of a security standard struggling with adoption despite its simplicity and potential benefits. The comments highlighted the tension between the perceived effort required for implementation and the potential benefits, as well as the need for improved discoverability and potential future legal implications that might drive wider adoption.