Been in or around tech my whole life and this is the first time I've heard of security.txt. This article is trying to shame or something over what even https://securitytxt.org/ is calling "A proposed standard..."?
The “fail to serve” wording in the headline is unnecessarily rage-baity.
It’s an interesting proposal, but trying to shame people into adopting proposed things is more likely to generate groans and disinterest in 2025 than to win converts.
I see these sort of things as a signal. I would personally encourage use internally, because I would like to signal towards the right sort of researchers.
But when you conflate that with some sort of expectation or "minimum effort" and try to shame people with it you signal something else, particularly to people who disagree with the value of said standard. I've had people show me my domains on "DNSSEC Hall of shame" site and my opinion of that site's existence lowers every time.
People who spent hours finding the right security contacts for companies without luck would likely disagree. The key failure is not the single missing file, but that security contacts are too hard to find and the effect that has.
That website misrepresents the RFC in a way that I can only describe as deliberate and egregious. To quote the RFC itself, "This document is not an Internet Standards Track specification; it is published for informational purposes."
In other words, someone had an interesting and possibly good idea, and did the non-trivial to get it published as an RFC (getting even informational RFCs take considerable effort) and now someone (else?) is trying to misrepresent its status.
As said in another comment, "nothing burger". Also, {click,flame}bait.
I serve this file for a fintech. If there is a legit vulnerability, I both want that report in my inbox for triage with as little friction as possible and I also want to be able to demonstrate that we made a best effort to receive that information from a good faith reporter. Is it work? Yes, of course, but that’s part of the job (to defend the enterprise).
Do you run a paid bug bounty program? I saw an interesting presentation from Finn.no about how they got most of their vulnerabilities through that, basically none from their security.txt file, and a handful from people contacting the CISO on LinkedIn.
Yeah, you will get all kinds of email claiming your insert nonsense tech buzzwords you don’t even have are open to vulnerabilities that don’t apply or exist and they will cc your boss looking for a bogus payday.
I’m not really sure why the author made the limitation to “IT Companies” unless what they really mean is the IT organization within the companies. The security.txt seems like it should be utilized by any company that does business on the internet, much like having an abuse email address.
I want to start off with that I do think the goal of this RFC is a laudable one, and anything that follows shouldn't be taken as a damnation of it. If you are on the fence if you should implement security.txt just do it.
This article is a large nothing burger. "I sampled 50 companies, most of which are on the internet because they have to be, and most didn't implement an IETF comment". If these were mostly tech focused companies, or heck security companies, sure it would make sense to shame them, but if there is a vulnerability in Ford's website I would bet the impact is quite low.
Hell this is so poorly thought out I want to go try it on the top 100 websites by volume and maybe try and find a top 100 tech websites.
Meh. Well known records (robots.txt, everything under .well-known/, etc) are meant to be used by automated systems IMO. The only automated system that would ever use this is email harvesters.
You can find our security contact in the whois record for our domain, or through the "vulnerability reporting" link in the footer of our homepage. Good enough.
Readit News
It’s an interesting proposal, but trying to shame people into adopting proposed things is more likely to generate groans and disinterest in 2025 than to win converts.
But when you conflate that with some sort of expectation or "minimum effort" and try to shame people with it you signal something else, particularly to people who disagree with the value of said standard. I've had people show me my domains on "DNSSEC Hall of shame" site and my opinion of that site's existence lowers every time.
In other words, someone had an interesting and possibly good idea, and did the non-trivial to get it published as an RFC (getting even informational RFCs take considerable effort) and now someone (else?) is trying to misrepresent its status.
As said in another comment, "nothing burger". Also, {click,flame}bait.
After 3 years: ZERO spam
This article is a large nothing burger. "I sampled 50 companies, most of which are on the internet because they have to be, and most didn't implement an IETF comment". If these were mostly tech focused companies, or heck security companies, sure it would make sense to shame them, but if there is a vulnerability in Ford's website I would bet the impact is quite low. Hell this is so poorly thought out I want to go try it on the top 100 websites by volume and maybe try and find a top 100 tech websites.
You can find our security contact in the whois record for our domain, or through the "vulnerability reporting" link in the footer of our homepage. Good enough.