Categories
Security

Security.txt in the wild: 2025 edition

One year ago, I checked the top 1 million “websites” for a security.txt file and then posted the results in this blog. As it was described at the time, I used a tool written by someone else who had already run this “experiment” in 2022.

You can look at the post, if you are keen to know what is this file, why I was curious about the adoption numbers and what were last year’s results.

As promised, I am collecting and publishing this information on the blog again this year. Yes, I did remember or, more precisely, my calendar app did.

The first step was to download the same software again, and the second step was to download the most recent list of the top 1 million domains from the same source.

Then, after consuming energy for a few of hours and wasting some bandwidth, the results were the following:

TotalChange from 2024
Sites scanned999968-0,003%
Sites with a valid file1773-81%
Sites with an invalid file12140+454%
Sites without a file986055-0,25%
ContactPolicyHiringEncryptionExpiry
Sites with value120194526310730528480
Change from 2024+30,3%+23,2%+21,2%+15,2%+70,9%

Overall, there was an expected increase in usage, however the change from last year is again underwhelming. The number of domains with the file went from, 11501 to 13913, which is a minimal improvement.

The valid/invalid numbers seem to be messed up, but this could be due to the software being outdated with the spec. I didn’t waste too much time on this.

Even considering and ignoring the limitations described in the original author’s post, and ignoring the valid file detection issue, I think these results might not reflect the reality, due to the huge number of errors found in the output file.

Overall, adoption seems to be progressing, but it still seems very far from being something mainstream.

If I do this next year, perhaps it will be better to use a different methodology and tools, so I can obtain more reliable results.

Leave a Reply

Your email address will not be published. Required fields are marked *