I’m not really sure why the author made the limitation to “IT Companies” unless what they really mean is the IT organization within the companies. The security.txt seems like it should be utilized by any company that does business on the internet, much like having an abuse email address.
