Measured data, July 9, 2026
Publishing security.txt is easy, keeping it valid is not
RFC 9116
gives every organization a single, machine-readable place to say
“here is how to report a vulnerability to us”: a plain-text file at
/.well-known/security.txt. We fetched it for every
Fortune 500 company and checked whether it is real, valid, and signed.
01 Present vs. correct
Publishing one is not the same as getting it right
10%
51/500 companies
publish a security.txt
51 of the 500 companies serve a file at the well-known
(or legacy) location.
22%
11/51 of those
are fully RFC 9116 compliant
Valid
Contact, a single unexpired Expires,
served as text/plain over HTTPS.
13
companies publish a security.txt whose
Expires date has
already passed, a file the spec says clients should treat as
stale. Publishing is easy; maintaining is the hard part.
02 The adoption funnel
From published to signed, across all 500
Publishes a security.txt10.2% · 51
Served over HTTPS10.2% · 51
Fully RFC 9116 compliant2.2% · 11
OpenPGP signed0.4% · 2
03 What's inside the files
Beyond the required fields
RFC 9116 requires only Contact and Expires.
Everything else is optional. Here is what companies actually include, as a
share of the 51 published files.
Optional fields of 51 files
Contact schemes by URI type
04 The roll call
51 companies that publish
Every company with a security.txt. 11 are fully compliant; 2 sign the file with OpenPGP (0 verified against a published key).
No domains match “”.