Which domains need security.txt files?

security txt files are an important aspect to ensuring your online assets remain secure, as they provide security researchers with the correct details to quickly report any issues found on your domains, and can mean serious issues do not go unreported as responsibility and hosting for domains and subdomains can differ, even if they have the same root domain, each primary domain and subdomain should provide a uri from which to retrieve the associated security txt file , which can use a redirect to a common security txt file this is indicated in the rfc 9116 https //www rfc editor org/rfc/rfc9116#name location of the securitytxt as " a 'security txt' file must only apply to the domain or ip address in the uri used to retrieve it, not to any of its subdomains or parent domains ", and cisa https //www cisa gov/news events/news/securitytxt simple file big value also states this in their blog, " each domain and subdomain within an entity’s network should have its own security txt file " hexiosec asm helps you understand which domains and subdomains should have 'security txt' files by raising low severity risks if these files are not found this is in addition to other validity checks hexiosec asm will perform on any 'security txt' files which are found our recommendation is that all identified domains include the file, but it can also be challenging if domains are part controlled by third parties and they do not offer the facility to add the file as a minimum you should ensure the security txt file is available from your main domain and websites domains for specific subdomains, in hexiosec asm you can choose to ignore risks if the file can't be created and you are willing to accept the risk this faq also answers why does a scan have multiple security txt file risks? what is a security txt file?