> Many people, who put the security.txt file in place, complain about the amount of low effort reports that are sent their way. I admit this situation is not ideal. However, I still think it is a net positive, and the problem can be minimized by having a good policy in place and a streamlined triage process.
Obvious question: Given this additional overheard, who should bother with a security.txt? The author notes that, of 1e6 domains recently scanned, 1% had a security.txt. Given the massive number of semi-abandoned old blog/hobby sites out there, plus probably far more SEO-gaming crap sites, plus loads of sites for tiny businesses - which are neither taking on-line payments, nor have any staffers with the tech savvy to deal with those low-effort reports - is 1% pretty close to optimal?
It is a good question, I assume that for the overall internet the adoption percentage will always be very low. However, the sites scanned are, theoretically, the top 1M, which include a high number of established businesses and other big organizations. So, I hoped that in this "sample" the percentage would be higher.
Obvious question: Given this additional overheard, who should bother with a security.txt? The author notes that, of 1e6 domains recently scanned, 1% had a security.txt. Given the massive number of semi-abandoned old blog/hobby sites out there, plus probably far more SEO-gaming crap sites, plus loads of sites for tiny businesses - which are neither taking on-line payments, nor have any staffers with the tech savvy to deal with those low-effort reports - is 1% pretty close to optimal?