Dear IT-humans: Please do yourselves a favour and create security@ as an email address on all of your domains which is actually routed and read by someone with knowledge about your IT!
That way you make it easy for people who accidentally stumble upon security issues with your infrastructure to actually report them to you.
The sheer fact of having and reading security@ (as mandated by RFC 2142) will help improving your IT security.
@MacLemon or, place a .well-known/security.txt file in the root of your website with the required information on how to contact you.
@graffen I agree that more people should do that. Though there's discussion about /security.txt vs. /.well-known/security.txt and one would need to check for both anyway.
My personal approach is to have both files and point them to security@ (for consistency and ease of use).
@MacLemon I thought that discussion on the securitytxt github died a couple of years ago in favour of /.well-known/? Has it come up again? Personally I prefer to keep files like this away from my web root.
@graffen You're right, that was quite a while ago. My bad, I've updated my knowledge. :-)
@MacLemon Not an IT human, but def. worrth knowing. Thanks! :)
@MacLemon I didn't know this. How did I not know this? Thanks. I'll implement security@(domain) on both of my domains tomorrow.
@MacLemon Or do what I do and just get alll non-assigned emails routed to the CTO and let him sort it out :)
@freemo (Ab)using a CTO as spam-filter doesn’t sound like a very economical solution to me. But who am I to judge? :-)
@MacLemon How ya figure. Im the CTO in at least two of my companies where I use this tactic. We have an actual spam filter so virtually none of the email that gets to me is spam (that I actually see).
@freemo Another piece of anecdotal evidence that irony doesn't travel well. When will I learn?
@MacLemon Thank you. It's probably good that I have this, seeing as I now have 2 domains with email configured.
@herrdoering The age of an RFC is irrelevant. TCP still applies as well. :-)
I’ve had good experience with having security@ both as a receiver and as a sender.
People do stumble over security related issues by accident at times.
I want to make it easy for others to tell me if they find something. I’ll happily shoot a one-off email to security@ in case but won‘t dig around for hours just to find the right contact if there is any.
You‘re free to implement it or let it be.
@herrdoering @MacLemon security-related information. Should go to your it security creature, who is not necessarily your webmaster. If the two roles fall together, it's still good to have both addresses, for ease of communication.
Spam is a solved problem, spamfilters have become good. A minimal spam filtering effort is the price of doing business, much like minimal maintenance is the price of doing it
chaos.social – a Fediverse instance for & by the Chaos community