Efflux
Field Reports
5 reports published
Field Reports
Short, data-driven investigations into how organizations signal reliability, security, and trust in the open.
№ 05 Privacy Signals July 9, 2026
Among Fortune 500, GPC is niche, DNT is gone
Two privacy declarations under /.well-known/: W3C gpc.json on 20 domains, EFF dnt-policy.txt on none.
20
serve gpc.json
16
gpc compliant
0
dnt policies
500
surveyed
№ 04 DNS Security July 9, 2026
What DNSSEC? It's nearly nonexistent among the Fortune 500
Only a handful of the largest companies in America sign their DNS and validate all the way to the root. Everyone else is wide open to spoofing.
53
sign their zone
47
validate end-to-end
0
bogus chains
500
surveyed
№ 03 Email Transport Security July 9, 2026
Good idea, poor adoption: MTA-STS among the Fortune 500
The spec is sound: publish a policy, enforce TLS on inbound mail. Across the Fortune 500, almost nobody has.
11
serve a policy
5
enforce tls
25
tls-rpt records
500
surveyed
№ 02 Vulnerability Disclosure July 9, 2026
Publishing security.txt is easy, keeping it valid is not
RFC 9116 gives every company one file for vulnerability disclosure. Most of the Fortune 500 skip it; many who publish let it expire.
51
publish security.txt
11
RFC 9116 compliant
2
openpgp signed
500
surveyed
№ 01 Public Reliability Signals July 9, 2026
The public face of trust and reliability
Who among the Fortune 500 actually publishes a real status page or trust center, validated over DNS and HTTP.
19
companies publish
10
status pages
12
trust centers
500
surveyed