In theory, this is great! It’s noted by the DHS as a helpful way for researchers to communicate their findings. At one point, it was required for agencies to have it, but was removed from that draft. Because it’s at a normalized location, it can be found by scraping sites like SHODAN and Disclose.io.
In practice, however, some members of the cyber security community find it to leads to a poor signal-to-noise ratio.
Some entrepeneurial members of the cybersecurity community will grab the
domain lists with
security.txt files, fetch the email, run burpsuite or
metasploit to get some low effort security issues, and dump it all into
excel. For extra credit, then do a mail-merge. Minimal effort, and if
you get answers back you ask for a bug bounty.
I don’t think that
security.txt on its own will cause this, though. It’s
just as easy to search for Vulnerability Disclosure Policies and use those as
inputs for automated security testing. It takes a bit more manual work, but
even with that you end up with odd security reports now and then.
All of this is to explain how we ended up with the security report for a site that shared the same first two letters of ours instead.