Challenge from https://twitter.com/troyhunt/status/1682982538409828354

foo.bat

curl.exe -LORJ https://haveibeenpwned.com/api/v3/breaches
jq.exe .[] breaches | jq.exe -r .Domain | sort.exe | uniq.exe | awk.exe 'NF' | awk.exe '$0=$0"/.well-known/security.txt"' > urls.txt
xargs -n 1 curl.exe --location --head --max-time 1 -w "%%{http_code} %%{content_type} %%{url}\n" -o NUL -s < urls.txt

Plenty of false positives, but some legit ones.

200 7k7k.com/security.txt
200 abusewith.us/security.txt
200 agusiq-torrents.pl/security.txt
200 ancestry.com/security.txt
200 animaljam.com/security.txt
200 animegame.me/security.txt
200 aptoide.com/security.txt
200 armyforceonline.com/security.txt
200 atlasquantum.com/security.txt
200 audiusa.com/security.txt
200 babynames.com/security.txt
200 battlefy.com/security.txt
200 bigmoneyjobs.com/security.txt
200 bitly.com/security.txt
200 brazzers.com/security.txt
200 btc-alpha.com/security.txt
200 cafemom.com/security.txt
200 cafepress.com/security.txt
200 cannabis.com/security.txt
200 chatbooks.com/security.txt
200 cheapassgamer.com/security.txt
200 cit0day.in/security.txt
200 clixsense.com/security.txt
200 coinmama.com/security.txt
200 d3scene.com/security.txt
200 datanleads.com/security.txt
200 dave.com/security.txt
200 digimon.co.in/security.txt
200 doxbin.com/security.txt
200 dubsmash.com/security.txt
200 eatigo.com/security.txt
200 eatstreet.com/security.txt
200 edmodo.com/security.txt
200 epal.gg/security.txt
200 eroticy.com/security.txt
200 exactis.com/security.txt
200 eyeem.com/security.txt
200 facebook.com/security.txt
200 forbes.com/security.txt
200 forumcommunity.net/security.txt
200 gaadi.com/security.txt
200 gatehub.net/security.txt
200 geekedin.net/security.txt
200 genesis.market/security.txt
200 hounddawgs.org/security.txt
200 ipmart-forum.com/security.txt
200 jobstreet.com/security.txt
200 jukinmedia.com/security.txt
200 justdate.com/security.txt
200 lbb.in/security.txt
200 linuxforums.org/security.txt
200 lookbook.nu/security.txt
200 mail.ru/security.txt
200 mangadex.org/security.txt
200 minehut.com/security.txt
200 modaco.com/security.txt
200 moneycontrol.com/security.txt
200 morele.net/security.txt
200 myheritage.com/security.txt
200 netgalley.com/security.txt
200 netlog.com/security.txt
200 nexusmods.com/security.txt
200 nihonomaru.net/security.txt
200 nulled.ch/security.txt
200 opencsgo.com/security.txt
200 opensubtitles.org/security.txt
200 paddypower.com/security.txt
200 pemiblanc.com/security.txt
200 pixelfederation.com/security.txt
200 pluto.tv/security.txt
200 preen.me/security.txt
200 quantumbooter.net/security.txt
200 quidd.co/security.txt
200 raidforums.com/security.txt
200 robinhood.com/security.txt
200 roblox.com/security.txt
200 serverpact.com/security.txt
200 shitexpress.com/security.txt
200 sprashivai.ru/security.txt
200 spyfone.com/security.txt
200 storybird.com/security.txt
200 stripchat.com/security.txt
200 strongholdkingdoms.com/security.txt
200 swvl.com/security.txt
200 teracod.org/security.txt
200 universarium.org/security.txt
200 viewfines.co.za/security.txt
200 wakanim.tv/security.txt
200 wanelo.com/security.txt
200 warmane.com/security.txt
200 xbox360iso.com/security.txt
200 younow.com/security.txt
200 zoomcar.com/security.txt
200 zoosk.com/security.txt

If you append | grep 200 | grep -v -e "html":-

200 text/plain; charset=UTF-8 8fit.com/.well-known/security.txt
200 text/plain; charset=UTF-8 adobe.com/.well-known/security.txt
200 text/plain;charset=UTF-8 ancestry.com/.well-known/security.txt
200  avvo.com/.well-known/security.txt
200 text/plain badoo.com/.well-known/security.txt
200 text/plain; charset=utf-8 dailymotion.com/.well-known/security.txt
200 text/plain deezer.com/.well-known/security.txt
200 text/plain dropbox.com/.well-known/security.txt
200 text/plain; charset=UTF-8 ethereum.org/.well-known/security.txt
200 application/json eyeem.com/.well-known/security.txt
200 text/plain;charset=utf-8 facebook.com/.well-known/security.txt
200 text/plain; charset=UTF-8 gemini.com/.well-known/security.txt
200 text/plain jobandtalent.com/.well-known/security.txt
200 text/plain knuddels.de/.well-known/security.txt
200 text/plain linkedin.com/.well-known/security.txt
200 text/plain;charset=UTF-8 mall.cz/.well-known/security.txt
200 text/plain mangadex.org/.well-known/security.txt
200 text/plain; charset=UTF-8 ovh.com/.well-known/security.txt
200 text/plain; charset=utf-8 patreon.com/.well-known/security.txt
200 text/plain plex.tv/.well-known/security.txt
200 text/plain; charset=UTF-8 promofarma.com/.well-known/security.txt
200 text/plain; charset=utf-8 robinhood.com/.well-known/security.txt
200 text/plain roblox.com/.well-known/security.txt
200 text/plain terravision.eu/.well-known/security.txt
200 text/plain; charset=utf-8 truckersmp.com/.well-known/security.txt
200 text/plain tumblr.com/.well-known/security.txt
200 text/plain;charset=utf-8 twitter.com/.well-known/security.txt
200  vbulletin.com/.well-known/security.txt
200 text/plain yahoo.com/.well-known/security.txt