1) Security contact information published in SAML metadata is intended for direct communication between organizations in an identity federation regarding security incidents, as outlined in the Sirtfi Trust Framework. 2) Currently only a small percentage of entities in the InCommon federation include a security contact in their metadata, with 99 out of 577 organizations (17%) and 72 out of 414 identity providers (17%) listing a contact. 3) There are open questions around what information security contacts in metadata should contain, whether they represent an individual, department or organization, the expectations for response, and whether the practice should be promoted more broadly across federations.