Is something like a security.txt not a required part of IT certification? I would say a procedure around vulnerability handling and reporting to be required.