Security.txt: 70% of German DAX40 without Security Contacts
Lack of Security Awareness Among German Blue Chips
· Software Security
By Jan Brennenstuhl · 4min read
Public Security Contacts
Publicly accessible security contacts are essential. I recently published security.txt for Zalando. All TLDs now respond with our disclosure contacts and security hiring information directly or via a redirect.
After I was done, I wanted to understand how well-established this industry standard is in Germany. So I did a quick research. Only 27,5% of German Blue Chip companies (DAX40) enable security researchers to disclose security vulnerabilities securely.
In this article, you’ll learn the following:
- How to expose security contacts
- What problem security.txt solves
- Which German DAX40 companies take security seriously
Why Security Reporting Channels Matter
In today’s rapidly evolving digital landscape, attack surfaces constantly grow. Organizations of all sizes experience alarming increases in cyber attacks. Cybercriminals continue to develop new and sophisticated ways to exploit vulnerabilities.
In times like these, many organizations rely on independent security researchers. In many situations, these researchers cannot report vulnerabilities they discovered because there are no official reporting channels to contact the owner of a particular resource. Getting in touch with social media teams, front-desk, or first-level support is often time-consuming and rarely helps.
What is Security.txt?
Security.txt is “A File Format to Aid in Security Vulnerability Disclosure” defined in the informational RFC 9116. It allows security researchers to easily report security vulnerabilities.
The standard describes a text file called
security.txt that resides in the well-known path
/.well-known/. The syntax is machine- and human-readable. It includes expiry information, links to the organization’s disclosure policy, and additional contacts. The spec recommends digitally signing the content of a Security.txt.
Given that the first draft was published six years ago, it is no surprise that progressive governments like the Netherlands recently made it mandatory for official federal Dutch websites to have a security.txt in place.
DAX Companies & Security.txt
Latest since 2021, “the more popular and higher ranked sites in the [Alexa] Top 1 Million are now publishing a security.txt file in larger numbers” (Scott Helme). The picture is different in Germany: 29 of the 40 German Blue Chip companies listed in the DAX (Deutscher Aktien Index) do not expose security contacts via a dedicated security.txt endpoint.
Despite the ever-evolving threat landscape, these organizations are unwilling (or unable?) to streamline potentially existing vulnerability disclosure programs. Or, even worse, they don’t have the necessary security awareness to complement their security posture with a standardized point of contact. In both ways, companies like Volkswagen, Rheinmetall, and BASF likely miss out on benefits.
Only 11 companies listed in the DAX40 stock market index expose usable security contacts and disclosure policies based on RFC 9116 – Allianz, Bayer, Beiersdorf, BMW, EON, Mercedes-Benz, Munich Re, SAP, Siemens, Siemens Energy, and Zalando.
|MTU Aero Engines||https://www.mtu.de/.well-known/security.txt||🔴|
Of course, this quick, dirty, manual investigation is neither representative nor conclusive. But it gives a first indication of how well-established these cybersecurity fundamentals actually are.
The current situation is inexplicable and concerning. Organizations (especially the big ones) should make it easy for security researchers to contact them. Considering the negligible investments required to establish security.txt endpoints, this becomes even more valid.
Using industry standards and best practices will help organizations to strengthen their security posture. It also leaves a positive impression on potential candidates for the company’s internal security teams. Security engineers seeking job offers will leverage the security.txt standard to find these open positions.
Jan Brennenstuhl is a Principal Software Engineer at Zalando SE, balancing security with friction for their customers. He built an IAM team and brought single sign-on (SSO) to Europe's largest e-commerce fashion platform.