Re: Invitation to participate in our academic survey on "Perception of providing security contact information for domains"
On Thu, May 21, 2026 at 10:46:49AM -0400, Paul Wouters wrote:
Without commenting on the usefulness of security.txt, I just wanted to point out fedoraproject seems to publish one not on the main domain but on the admin subdomain:
Yes, we do.
RFC9116 seems to believe it should be available per service name and that one on the main domain (or on on www.) would not cover anything else (eg sub domains).
I don't think this is only available on admin.fedoraproject.org by design, but I could be wrong. The situation does however match my personal (not endorsed by Fedora) feelings about security.txt in general :)
Yeah. I don't know that we want to produce a security.txt for every subdomain we have, especially when they would likely be all the same contents.
Note when you google for "fedora security" you do get to https://fedoraproject.org/security/ that also has contact information at the bottom.
Paul, not speaking for the Fedora Project here
kevin, speaking for fedora infrastructure, but agreeing with Paul. ;)
kevin --
On Wed, May 20, 2026 at 7:32 PM AIFB-security-txt-study < security-txt-study@aifb.kit.edu> wrote:
Greetings,
we are researchers from the university in Karlsruhe, Germany, the Karlsruhe Institute of Technology (KIT). We are contacting you today, because by analyzing the most visited domains [1] we found that your domain fedoraproject.org is seemingly not providing contact information for a security contact via a security.txt [2].
As part of our research project on vulnerability notifications [3] we are investigating why domain owners do not provide a security.txt. We aim to identify reasons for non-adoption, as well as reasons that hinder or delay adoption. In case you already provide security contact information in other forms, we also highly appreciate your response.
Your perspective is very valuable to us, as it helps us pinpoint specific issues that we need to take into account when developing recommendations and awareness materials.
To allow you to respond anonymously, we have created an online survey. The survey will take about 5 minutes to complete. The survey can be accessed via the following link: https://soscisurvey.scc.kit.edu/securitytxt
Alternatively, we also appreciate your feedback as response to our email. Please find the questions below.
Thank you very much for your time and support!
Best regards, Anne Hennig
[1] https://tranco-list.eu/ [2] https://securitytxt.org [3] https://s.kit.edu/vulnerability-notifications
QUESTIONS
- Have you ever heard about security.txt before? [Yes / No] 1.1 If yes: On what occasion did you hear about security.txt?
- Have you already implemented or are you planning to implement
security.txt for your domain? [Yes / No / Already implemented / I provide contact information in other forms (please specify)] 2.1 If in planning: What is your timeline for the implementation? Why did you decide to implement a security.txt? What are your greatest concerns? What benefits do you expect? 2.2 If no implementation planned: Why did you decide not to implement a security.txt? What are your greatest concerns? What would motivate you to implement a security.txt? Can you think of potential benefits when implementing a security.txt? 2.3 If already implemented: Why did you decide to implement a security.txt? What were your greatest concerns before implementation? What benefits did you expect? What are your current experiences? 3. Demographic information: 3.1 In which country is your organization mainly located? 3.2 What is your role with regard to the domain we contacted? 3.3 What sector does your organization of business belong to? 3.4 How many employees does your organization or business have? [1-9, 10-49, 50-249, 250-499, 500-999, 1000-4.999, 5.000 or more]
Legal Disclaimer: The legal basis for the processing of your personal data is Article 6(1)(e) in conjunction with Article 6(3) of the General Data Protection Regulation (GDPR) and Section 13(1) of the Baden-Württemberg State Data Protection Act.
In accordance with Articles 13 and 14 of the GDPR, we hereby inform you that we have processed your contact information for scientific research purposes without having obtained your prior consent. The processing is carried out exclusively for the purpose of inviting you to participate in the aforementioned study. You have the right at any time to have your contact information deleted and to object to further contact.
We will not contact you again for the purpose of this study. Your name and email address, will be stored separately from your responses. It is not possible to identify you personally from this data. We will delete your contact information at the end of the project.
Karlsruhe Institute of Technology (KIT) Institute of Applied Informatics and Formal Description Methods (AIFB) Research Group Security • Usability • Society (SECUSO)
Anne Hennig, M.A. Research Associate
E-Mail: anne.hennig@kit.edu
Registered Office Kaiserstraße 12, 76131 Karlsruhe
KIT – The University in the Helmholtz-Association
websites@lists.fedoraproject.org
-
Kevin Fenzi