How common is security.txt in financial services

October 16, 2025 - 2 minute read

I very matter of factly told a colleague that security.txt is a well-known standard but it's not widely used in "major corporations". In the context of our conversation I took "major corporations" to mean financial services. I didn't have the data on hand to back up the claim.

I compiled a list of 207 financial services domains¹. Banks, insurers, pension providers, etc., a bit more heavy UK heavy.

Then I wrote a script to check for the presence of ./well-known/security.txt or security.txt.

Out of 207 domains, 18 or 8.7% had a security.txt in place. I didn't parse the contents for compliance to the standard, but research² suggests that only a subset of security.txt implementations is compliant. It's likely that some of these domains would have blocked my requests and an unknown number of false negative results is skewing the result.

Nonetheless the standard was submitted in 2017 and as of April 2022 it's RFC 9116.

The adoption rate, on a global scale, over time has been steadily increasing since 2020 ³ with more recent analysis in 2025 ⁴ confirming a steady uptake.

After writing my check, I came across https://github.com/markuta/go-security-txt which includes a broader survey and detailed analysis of security.txt adoption.

https://gist.github.com/costasko/e2ced6cef50e2aa86b9d9e6727b172b4

Hilbig, T., Geras, T., Kupris, E. and Schreck, T. (2023). security.txt Revisited: Analysis of Prevalence and Conformity in 2022. Digital Threats: Research and Practice, 4(3), pp.1–17. doi:https://doi.org/10.1145/3609234

Poteat, T. and Li, F. (n.d.). Who You Gonna Call? An Empirical Evaluation of Website security.txt Deployment. [online] doi:https://doi.org/10.1145/3487552.3487841.

⁴

https://www.uriports.com/blog/security-txt-in-2025/