Most IT companies fail to serve security.txt for RFC 9116 in 2025

I happen to maintain a public list of companies using libexpat in hardware, though not complete by any means. Last time I tried mass-mailing companies about a security issue in April 2024. Finding the right contact for security was non-trivial and even failed in some cases. E.g. for Humax Digital I eventually gave up. It is needless to say that if your security contacts are too hard to find, that says something about how urgently you want to fix security issues (or not). So I felt like re-checking how many of these 50 companies are serving /.well-known/security.txt (or the significantly less common /security.txt ) a la RFC 9116 in 2025. The sad answer is: 39 out of the 50 companies I tested do not, i.e. 78%. Here's who and where exactly I tested: ... Read full article.