Recently, @ant0inet (Antoine) tweeted about a cursory scan they did against the .ch
TLD to determine how many security.txt
files are hosted on the .ch
zone.
Quick workflow to scan for @securitytxt files on the .ch zone.pic.twitter.com/XfE6xhTDeO
— Fortune cookie monster (@ant0inet) January 15, 2022
I decided it would be fun to explore the data set of $288$ security.txt
files.
If you have scanned for security.txt
files in the past, you are probably aware that a significant portion of these files are hosted by the underlying product used for hosting the website. For instance, Tumblr user websites host a generic security.txt
file pointing to Automattic’s HackerOne programme.
Contact: https://hackerone.com/automattic/reports/new
Policy: https://hackerone.com/automattic
Acknowledgments: https://hackerone.com/automattic/thanks
Hiring: https://www.tumblr.com/jobs
If we create a hash map of security.txt
files from Antoine’s resulting data set, we discover there are several duplicate files. Some of these duplicate files are organisational security.txt
files hosted across a collection of .ch
hosts belonging to one company.
Organisation | Number of security.txt files |
---|---|
Post AG | $54$ |
Nextcloud | $30$ |
bpm | $19$ |
Readymag | $15$ |
Visana | $7$ |
edoobox | $5$ |
Procter & Gamble | $3$ |
$2$ | |
Zera Media | $2$ |
Using the same data set, we can fetch the number of unique security.txt
files by returning the length of the hash map. This results in $143$ unique security.txt files across the .ch
zone.
It may help to further illustrate the proportion of unique to duplicate files.
As noted by Antoine in later tweets, some hosts were missing from the initial data set due to massdns
not resolving them and the nuclei
template not following redirects (this has since been updated).
Antoine released a final more refined data set which addressed the issues faced with earlier scans. This data set included $1310$ security.txt
files.
+384 sites when following redirects: https://t.co/VBYfb1LJdD
— Fortune cookie monster (@ant0inet) January 16, 2022
Performing the same analysis against this new data set returned $535$ unique security.txt
files.
Post AG came out top hosting a total of $203$ Instances of security.txt
.
Organisation | Number of security.txt files |
---|---|
Post AG | $203$ |
Nextcloud | $125$ |
Readymag | $55$ |
All in all, kudos to Antoine for taking the time to scan the .ch
zone for security.txt
. This was a fun exercise and uncovered some interesting insights into security.txt
adoption in Switzerland. I look forward to seeing adoption grow among Swiss organisations in the years to come.