Follow-Up on Security.txt Adoption: Progress and Pitfalls in 2025

Freddie Leeman

2 min read
Follow-Up on Security.txt Adoption: Progress and Pitfalls in 2025

Since the introduction of RFC9116 in 2022, the security.txt initiative has continued to evolve, aiming to simplify security vulnerability reporting and encourage widespread adoption. The goal remains clear: provide a standardized way for security researchers to report vulnerabilities by placing a text file in the /.well-known/ folder of a domain.

In our previous analysis conducted in April 2024, we found that 0.7% (6,816 domains) of the top one million domains had adopted the security.txt file. Encouragingly, our latest data reveals a significant increase in adoption, with 1.25% (12,510 domains) now hosting a security.txt file. However, compliance remains a challenge, as only 44% of these domains meet RFC standards, highlighting persistent pitfalls and areas for improvement.

1. Contact Information

The "Contact" field remains a crucial component of security.txt implementation, allowing various types of URIs. Our updated analysis shows:

  • 74% use email, an increase from the previous 67%.
  • 35% use a URL, showing a minor increase from 31%.
  • 2% use a telephone number, consistent with past findings.

2. Expiration Date Compliance

The "Expires" field continues to be a major stumbling block. While progress has been made, challenges persist:

  • 45% of domains still fail to specify an expiration date, down from 46% in 2024.
  • 13% have an already expired date, showing a significant improvement from 18%.
  • 5% feature an invalid expiration format.
  • 20% have set expiration dates too far into the future, slightly down from 23%.

3. Encryption Practices

Encryption is vital for secure communication, and our analysis found that:

  • The amount of files mentioning an encryption key stayed roughly the same at 31%.
  • Of these, 98% use HTTPS, while 4% use openpgp4fpr, and 0.13% rely on DNS.
  • The number of invalid or incorrectly formatted encryption keys has dropped by 9%.

4. Digital Signature Adoption

The use of OpenPGP signatures for authenticity verification has grown modestly:

  • 11% of domains have implemented a signature, up from 10%.
  • Of these, 50% were successfully validated, compared to 40% in the previous study, meaning the key that was used to sign the file, was also mentioned in an Encryption field.

5. Common Implementation Mistakes

Despite the progress, several common pitfalls continue to plague adoption:

  • Unknown fields: Present in 11% of files, up slightly from 10%.
  • Use of 'Acknowledgements' instead of 'Acknowledgments': Still seen in 10% of files, showing slow improvement.
  • Incorrect Content-Type: Now observed in 3.5% of domains.
  • Canonical URL mismatches: Persist in 26% of cases, a minor improvement from 29%.

Conclusion

While adoption of security.txt has grown significantly over the past year, compliance challenges remain a significant hurdle. The most persistent issues continue to revolve around missing required fields, improper formatting, and expired information. Encouragingly, more organizations are beginning to understand the importance of security.txt and taking steps to align with RFC9116 guidelines.

đź“ť
Verify security.txt files easily on our URIports Tools page.

URIports automatically detects if monitored domains publish a security.txt file, checks for errors, and notifies administrators for quick issue resolution.