I happen to maintain a public list of companies using libexpat in hardware, though not complete by any means. Last time I tried mass-mailing companies about a security issue in April 2024. Finding the right contact for security was non-trivial and even failed in some cases. E.g. for Humax Digital I eventually gave up.

It is needless to say that if your security contacts are too hard to find, that says something about how urgently you want to fix security issues (or not).

So I felt like re-checking how many of these 50 companies are serving /.well-known/security.txt (or the significantly less common /security.txt) a la RFC 9116 in 2025.

The sad answer is: 39 out of the 50 companies I tested do not, i.e. 78%. Here's who and where exactly I tested:

• ✅ Bosch
• ❌ Brother
• ❌ BSH Hausgeräte
• ❌ Casio
• ✅ Cisco
• ✅ Daimler Mercedes-Benz
• ✅ Dell
• ❌ Denon
• ❌ Domino Printing
• ❌ eQ-3
• ❌ Ford
• ❌ Harman
• ❌ HP
• ❌ Humax Digital
• ❌ Intel
• ❌ Intermec
• ❌ Kathrein Digital Systems
• ❌ Kyocera
• ❌ Lantronix
• ❌ LG
• ❌ marantz
• ❌ Mazda
• ❌ NetApp
• ❌ Onkyo
• ❌ Palm
• ❌ Panasonic
• ❌ Ricoh
• ❌ Romi
• ✅ Rohde & Schwarz
• ❌ Sangoma
• ✅ Siemens
• ❌ Sharp
• ✅ SMA
• ❌ Sony
• ❌ STIHL
• ❌ TCS
• ❌ Teac
• ❌ TechniSat
• ❌ Telekom
• ❌ Theben
• ❌ Timemaster
• ✅ Trend Micro
• ❌ Universal Audio
• ❌ VacuuBrand
• ❌ Verizon
• ✅ Vodafone
• ❌ X-Rite
• ❌ Yamaha
• ✅ Yokogawa
• ✅ Zyxel

If you work at a company that does not serve /.well-known/security.txt yet, please fix it or share a link to https://securitytxt.org/ with a co-worker or management of yours so they can — thank you!