Half The ShinyHunters Watch List Cannot Receive A Vulnerability Report. We Checked. We Added security.txt Visibility To AIPM Scoring As The Eighth Technical Signal.
- Patrick Duggan
- 5 minutes ago
- 6 min read
May 8, 2026 · DugganUSA LLC · Companion to "Warning: Eight Names On Our ShinyHunters Watch List"
Earlier today we published the watch list. Eight named candidates with elevated pre-stage indicators in our threat-intelligence index that, applied to the Medtronic-prediction methodology, place them in the high-risk band for ShinyHunters or related-cluster targeting in the next 4-12 weeks.
After publishing, we set out to do the responsible thing — send each named candidate a private warning email with the per-target receipts. The kind of email we sent Medtronic on March 19, the kind that produced an autoresponder confirmation but no follow-up, the kind whose 39-day window closed when ShinyHunters posted nine million records.
We sent four emails. We could not send the other six. The reason is not flattering for any of them.
The Check We Ran
For each of the named candidates plus several adjacent organizations, we hit the canonical paths a security researcher would use to find a vulnerability disclosure channel: /.well-known/security.txt (RFC 9116, published 2022), /security.txt (legacy fallback), and /security (the conventional human-readable disclosure page). For each response we verified that the bytes returned were not a 200-everywhere SPA fallback (which is worse than no security.txt at all because automated scanners report it as compliant when it is not).
The full list of organizations checked includes the eight named watch-list candidates plus Caremark, Aetna, Anthology (Blackboard parent), PowerSchool, Itron, and Xfinity for cross-reference.
What We Found
Reachable, with real disclosure infrastructure (we sent the warning email today):
Target | Channel | Posture |
GE Healthcare | Real /security page (642KB, not SPA), [email protected] | ✅ Email sent |
Moderna | Real /security page (530KB, not SPA), [email protected] | ✅ Email sent |
Express Scripts | Real /security page (135KB), [email protected] (PSIRT routes through Cigna parent) | ✅ Email sent |
Optum | RFC 9116 security.txt with valid Contact: directive, [email protected] | ✅ Email sent |
Blackboard / Anthology | RFC 9116 security.txt with valid web-form Contact: at trust-center/submit-a-vulnerability | ✅ Reachable (manual submit pending) |
PowerSchool | Real /security page (105KB) — post-breach posture maturation after early-2025 incident | ✅ Reachable |
Unreachable — no canonical channel for an outside researcher to send a security report in 2026:
Target | What we found | Read |
CVS / CVS Health | No security.txt anywhere on cvshealth.com. No /security path returning content. | F500 #6, healthcare data, no incoming channel |
Aetna (CVS subsidiary) | No security.txt | Insurance data, no channel |
Caremark (CVS PBM) | security.txt path returns 1,995-byte SPA fallback — pretends to be RFC 9116 compliant, is not | Worse than no security.txt — automated compliance scanners will report green |
Nike | No security.txt; /help/a/security returns 619KB SPA homepage | Already named in workday-nike.com ShinyHunters phishing infrastructure — pre-staged target with no incoming channel |
Comcast / Xfinity | No security.txt at corporate.comcast.com or xfinity.com or comcast.com | Already named in sharepoint-comcast.com phishing — same situation as Nike |
Kaiser Permanente | security.txt path returns 1,091,996-byte HTML homepage (SPA fallback) | 12.7M members of one of the largest integrated health systems in the United States, no real disclosure channel |
Schoology | security.txt returns 212-byte SPA shell | K-12 LMS, education-sector data, no channel |
Itron | Got breached alongside Medtronic in April; STILL no security.txt today | Post-breach hygiene did not include adding a disclosure path. They got hit, and they still cannot receive an outside vulnerability report. |
RFC 9116 Has Been Published Since 2022
The Internet Engineering Task Force published RFC 9116 (A File Format to Aid in Security Vulnerability Disclosure) in April 2022. CISA's Binding Operational Directive 20-01 mandated vulnerability disclosure programs for federal civilian executive branch agencies in September 2020. The OWASP Vulnerability Disclosure Cheat Sheet has recommended security.txt since 2018. Bug bounty platforms (HackerOne, Bugcrowd, Intigriti) have integrated security.txt discovery as a default workflow since at least 2020.
It is May 2026. CVS Health, Comcast, Kaiser Permanente, Nike, Schoology, Itron, and Caremark — collectively serving hundreds of millions of consumers, students, members, and customers — do not operate a basic vulnerability disclosure path that has been industry standard for more than half a decade.
This is the same posture problem Medtronic had — except worse, because at least Medtronic had an autoresponder. The pre-breach private warning, sent to a security mailbox, confirmed delivered. We had a record of having tried, even if the warning was not acted on. For half the new watch list there is no equivalent route. The only available outreach mode is the public post.
We Added security.txt Visibility To AIPM Scoring
The AIPM (AI Presence Management) product at aipmsec.com measures what AI knows about a brand across multiple dimensions — awareness, accuracy, sentiment, recommendation, plus seven technical signals (robots.txt, LD-JSON, semantic HTML, sitemap, meta tags, llms.txt, NLWeb) that determine whether the brand's web surface is structured for AI consumption.
As of today the structure analyzer scores an eighth technical signal: RFC 9116 security.txt visibility plus the conventional /security disclosure page. The scoring rubric:
90-95: RFC 9116 compliant security.txt with valid Contact: directive, served as plain text, not SPA fallback
65-70: Real /security HTML page (large enough to plausibly carry a disclosure policy, contains disclosure-program keywords)
30-50: /security present but small or SPA-fallback-shaped (deceptive partial signal)
15: security.txt path returns HTML (200-everywhere SPA fallback that pretends compliance) — explicitly penalized
0: No reachable disclosure path at all
The reasoning: security-reporting visibility is part of what AI should know about a brand. If a security researcher asks an AI model "how do I responsibly disclose a vulnerability to CVS Health?", the AI's answer is constrained by what CVS Health makes findable. If the answer is "I don't know," AIPM should reflect that gap. If the answer is "I don't know" because the brand has no canonical channel, that is the brand's problem, and AIPM should score it accordingly.
The 95% epistemic cap applies as it always does. A score of 95 on this dimension does not equal a perfect security posture. It equals the highest available rate of disclosure-channel visibility that the active ingredient (RFC 9116 conformance plus a real /security page) supports.
Our Own security.txt
We do not score companies on signals we do not also operate. We shipped our own RFC 9116 security.txt at analytics.dugganusa.com/.well-known/security.txt simultaneously with this post — Contact directives for [email protected] and [email protected], Expires set to 2027-05-08, Canonical and Policy and Acknowledgments and Hiring directives all present. We will publish the same file at our other controllable properties as we deploy them through the build pipeline.
If you find a vulnerability in any DugganUSA-controlled surface, the channel is open. The hall of fame is open. We respond same-business-day, capped at 95% confidence on every claim — if our response includes the word "100%" anywhere, that is itself a defect worth flagging back to us.
Summary For The Person On The Watch List Reading This
If you are a security executive at GE Healthcare, Moderna, Express Scripts, Optum, Blackboard, or PowerSchool — the email is in your Product Security or PSIRT inbox. Same-business-day cross-check is at [email protected].
If you are a security executive at CVS Health, Comcast, Kaiser Permanente, Nike, Schoology, Itron, or Caremark — we tried to send you the warning. We could not. Adding a basic RFC 9116 security.txt to your .well-known/ directory takes thirty minutes, costs zero dollars, has been industry standard since 2022, and would have allowed an outside researcher to reach you with the kind of advance notice we tried to give Medtronic in March. The cost of operating without it is documented above; the upside of adding it is also documented above.
The list will update as you ship the channel. We will resend the warning email when the channel exists. The AIPM score for your brand will rise by ten weighted points across the structure-analysis dimension when the channel is reachable. The reach in your industry, in your customer base, and in your regulatory posture all benefit from the same eight-line text file.
We are at [email protected]. We respond.
— Patrick Duggan
DugganUSA LLC, Minneapolis
Aye.
Receipts
RFC 9116 (A File Format to Aid in Security Vulnerability Disclosure): published April 2022 by the IETF
CISA Binding Operational Directive 20-01: VDP mandate for federal civilian executive branch agencies, September 2020
OWASP Vulnerability Disclosure Cheat Sheet: recommends security.txt since 2018
Watch list: published earlier today at dugganusa.com — eight named candidates, ranked by IOC pre-stage volume in our index (1.14M IOCs across 44 indexes)
Warning emails sent today, May 8, 2026: GE Healthcare, Moderna, Express Scripts (via Cigna PSIRT), Optum
Warning emails not sent due to no reachable channel: CVS / Caremark / Aetna, Nike, Comcast / Xfinity, Kaiser Permanente, Schoology, Itron
AIPM structure analyzer: now scores 8 technical signals (added security.txt today). Code change in microservices/analytics-dashboard/routes/api/v1/aipm.js evaluateSecurityReporting() function. Weights rebalanced to maintain 1.0 sum.
Our own RFC 9116 security.txt: live at analytics.dugganusa.com/.well-known/security.txt (deploys with the next analytics revision)
95% epistemic cap: applied to all DugganUSA scoring claims including the new security_reporting dimension
Public STIX feed: analytics.dugganusa.com/api/v1/stix-feed (free, 25 queries/day, permanent)
Email: [email protected]
Her name was Renee Nicole Good.
His name was Alex Jeffery Pretti.