EdgeOps

DENOG17 Security.txt Update: 69% Adoption, One Third Valid and 6 with Clean PGP

Published on 12/23/2025

DENOG17 Security.txt Update: 69% Adoption, One Third Valid and 6 with Clean PGP

After our talk at DENOG17 about security.txt, we published an initial snapshot of adoption across organizations in the DENOG community. Since then, we received feedback from DENOG members, especially about the proper adoption of security.txt.

Based on this feedback, we re-ran the analysis. The updated numbers are clearer and show that transparency and community discussion can lead to improvements.

Test Your Security.txt

Check if domains have implemented a valid security.txt according to RFC 9116. Use our free checker:

What Changed Since the First Post

Here is the current snapshot based on DENOG attendees:

  • 69% of attendees have a security.txt endpoint compared to 25% in November.
  • Around one third of those implementations are valid according to our checks compared to one fourth a month earlier
  • 6 organizations now provide a clean PGP setup that is correctly parseable and free of obvious errors which is an increase of 25 %

Especially on the PGP represents a clear improvement in implementation quality. This is often the area where implementations fail in practice.

Why This Matters

We see security.txt not only as a contact for website vulnerabilities, but as a standardized entry point for security communication across a provider’s services.

A provider without a clear security contact is like a building without an emergency exit.

What We Check

In our checker and in this evaluation, we focus on the practical basics:

  1. Discoverability via /.well-known/security.txt
  2. Required fields such as Contact and Expires
  3. Validity including format and machine readability
  4. Optional quality signals such as PGP where appropriate

Try It Yourself

If you operate a domain in the DENOG ecosystem or anywhere else, run it through the checker:

security.txt Checker

Enter your domain to validate its security.txt setup. The checker follows RFC 9116 and only requests /.well-known/security.txt over HTTPS/HTTP

Looking Ahead

We plan to repeat this evaluation periodically and track changes over time. Ideally, more organizations will move from basic presence to valid and cleanly implemented configurations.

If your organization improved its security.txt after the talk, thank you. If not, this remains one of the highest return security improvements that can realistically be shipped in an afternoon.

Special thanks to the DENOG community for the direct feedback that helped us improve the methodology.