security.txt in the Fortune 500: 15% Adoption, 4.8× AI-Readiness Correlation

security.txt is a text file at /.well-known/security.txt that declares how security researchers should report vulnerabilities. Published as RFC 9116 in 2022, it has become a de facto standard for organizations that take coordinated vulnerability disclosure seriously. It has no direct relationship to AI visibility — but its adoption pattern across the Fortune 500 is one of the strongest predictors of overall AI-readiness we've measured.

Of 500 Fortune 500 companies probed for /.well-known/security.txt, 75 (15%) have a real body-validated file. Nine of those include PGP-signed URLs for encrypted reporting — the gold-standard implementation. Both numbers are higher than llms.txt (2.8%) and robots.txt AI directives (7.5%). security.txt is currently the AI-adjacent standard with the highest real adoption.

The 4.8× correlation

72% of the top-25 most AI-ready Fortune 500 companies have security.txt. The overall Fortune 500 adoption rate is 15%. That's a 4.8× lift. No other single signal correlates as tightly with AI-readiness as security.txt presence.

The correlation is not causal in either direction. security.txt doesn't make your website more AI-accessible; AI crawlers don't read security.txt. But the act of publishing security.txt requires coordination between security, legal, and web operations — the same coordination that shipping AI-ready infrastructure requires. Companies that can ship security.txt can ship llms.txt, the Wikidata sameAs, and the WAF rule updates that unblock AI crawlers. Companies that can't ship security.txt probably can't ship the rest either.

Sector distribution

• Technology — 32% adoption. Highest of any sector. Unsurprising given security-research cultures at these companies
• Banking — 21% adoption. Regulated disclosure obligations make RFC 9116 a low-friction implementation
• Pharmaceuticals — 14% adoption. Similar regulatory pressure, slightly lower actual follow-through
• Retail — 8% adoption. Less security-research attention, less pressure
• Energy, industrial manufacturing — under 5%. Vulnerability disclosure programs exist but are rarely web-published

The minimum-viable template

The RFC 9116 minimum is two fields:

Contact: mailto:security@yourdomain.com
Expires: 2027-04-20T00:00:00.000Z

Production-grade security.txt adds Encryption (PGP key URL), Acknowledgments (hall-of-fame page), Preferred-Languages, and Canonical (declaring the URL where this file lives). The 9 Fortune 500 companies with PGP signatures have the full complement.

Why this matters for AI

security.txt doesn't help AI answer engines directly. But the correlation with AI-readiness means that if your company doesn't have security.txt, the likelihood of having the rest of the AI-visibility stack is low, and the likelihood of having organizational patterns that could produce that stack is also low. For audit purposes, security.txt presence is a fast binary diagnostic: adopt the organizational pattern that produces security.txt, and the AI-visibility infrastructure becomes shippable.

The 53-point checklist treats security.txt as a maturity signal, not a direct AI signal. The pillar guide's 5-hour roadmap places its publication at Hour 4 — among the last items because the prerequisites are organizational, not technical.