Blog / / 3 min read

Switzerland Has No Doorbell

Nine in ten Swiss websites publish no security.txt — no way for a researcher to report a vulnerability. We checked every .ch domain in two public lists. Here's the data, and the ten-minute fix.

You find a serious bug on a Swiss company’s website. You try to warn them. There’s no door to knock on.

The fix is one file — security.txt [1] — that says report security issues here. Ten minutes. Free.

We checked every .ch site in two independent public lists. Nine in ten don’t have one.

SWISS .CH SITES · CAN A RESEARCHER REPORT A BUG? 90.6% — no way to report 9.4% reachable
Two lists, built differently, same answer: Majestic Million (full .ch, n=4,188) [3] → 9.4%; Tranco (top 3,000) [4] → 10.7%. One public file fetched per domain — nothing else.

Worst where it should be best

The biggest banks, hospitals and cantonal governments are about half-covered. Everyone else falls off a cliff — and the smaller you are, the longer a flaw sits unreported before anyone can tell you.

SECURITY.TXT ADOPTION BY SITE RANK (.CH) 50% Top 100 42% Rank 101–500 19% 501–1,000 8% 1,001–2,000 9% 2,001+ (tail) 7%
Bars scaled to 100% — even the best tier is below half. Majestic Million .ch, n=4,188. US federal agencies have been required to publish one since 2020 [5].

We almost got it wrong

Our first number was 8%. Wrong — we’d forgotten to follow redirects, undercounting six-fold. We caught it and fixed it. A hygiene statistic produced sloppily belongs in the bin.

SAME DATA, TWO METHODS (large-company set) No redirects 8% (wrong) Follow redirects 48% (correct)
Reproduce it in an afternoon: take a list, fetch one file per domain, follow redirects, check for Contact:.

Ten minutes

A security.txt patches nothing. It just gives a willing stranger somewhere to send the warning:

  1. Create https://yourdomain/.well-known/security.txt
  2. Add a Contact: line and an Expires: date
  3. Done — securitytxt.org [2] writes it for you

We find problems, report them, and ask for nothing back. This is the first in a series on the Swiss web — aggregate, reproducible, free — and we hold ourselves to the same bar.

Sources

  1. RFC 9116 — A File Format to Aid in the Coordinated Disclosure of Security Vulnerabilities. IETF. rfc-editor.org/rfc/rfc9116
  2. securitytxt.org — standard overview and file generator. securitytxt.org
  3. Majestic Million — public top-million domains list; the .ch subset used in full (n=4,188). majestic.com/reports/majestic-million
  4. Tranco — A Research-Oriented Top Sites Ranking Hardened Against Manipulation (NDSS 2019); top 3,000 .ch as a cross-check. tranco-list.eu
  5. CISA Binding Operational Directive 20-01 — US federal agencies must publish a Vulnerability Disclosure Policy. cisa.gov
  6. ENISA — Coordinated Vulnerability Disclosure. enisa.europa.eu
  7. NCSC Switzerland — Coordinated Vulnerability Disclosure. ncsc.admin.ch
  8. disclose.io — open-source safe-harbor framework for coordinated disclosure. disclose.io

Method: aggregate survey of .ch domains from the Majestic Million and Tranco public ranking lists on 2026-06-03; one passive request per domain to /.well-known/security.txt, following redirects and validating a Contact: field. A published file isn’t proof of a working programme, and a single snapshot can miss slow hosts. No company is named for the absence of a file. Research post, not legal advice.

Get hacked More writeups