Dear IT-humans: Please do yourselves a favour and create security@ as an email address on all of your domains which is actually routed and read by someone with knowledge about your IT!
That way you make it easy for people who accidentally stumble upon security issues with your infrastructure to actually report them to you.

The sheer fact of having and reading security@ (as mandated by RFC 2142) will help improving your IT security.

@MacLemon or, place a .well-known/security.txt file in the root of your website with the required information on how to contact you.

@graffen I agree that more people should do that. Though there's discussion about /security.txt vs. /.well-known/security.txt and one would need to check for both anyway.
My personal approach is to have both files and point them to security@ (for consistency and ease of use).

@MacLemon I thought that discussion on the securitytxt github died a couple of years ago in favour of /.well-known/? Has it come up again? Personally I prefer to keep files like this away from my web root.

@graffen You're right, that was quite a while ago. My bad, I've updated my knowledge. :-)

@MacLemon Not an IT human, but def. worrth knowing. Thanks! :)

@MacLemon I didn't know this. How did I not know this? Thanks. I'll implement security@(domain) on both of my domains tomorrow.

@MacLemon Or do what I do and just get alll non-assigned emails routed to the CTO and let him sort it out :)

@freemo (Ab)using a CTO as spam-filter doesn’t sound like a very economical solution to me. But who am I to judge? :-)

@MacLemon How ya figure. Im the CTO in at least two of my companies where I use this tactic. We have an actual spam filter so virtually none of the email that gets to me is spam (that I actually see).

@freemo Another piece of anecdotal evidence that irony doesn't travel well. When will I learn?

@MacLemon Thank you. It's probably good that I have this, seeing as I now have 2 domains with email configured.

@MacLemon How are your experiences with that? I already have a "webmaster" account on all domains. Have you had personal positive experiences, that this additional address is helpful?

This RFC is from 1997. This is 22 years old now! And I call it into question, that an additional "security" account is helpful today, except for another handful of spammers.

If somebody is abused by my domain, there would also be "abuse". The same: Most abused devices will be a bunch of cheap cameras, routers and other devices not ever improved by any firmware update and such.

And what whould be sent to "security"? I personally would not give others advices for security issues in normal cases: I would not check other sites for this kind of issues. And if, I normally know the person behind and have a personal link to him.

One time I had an issue, because an email addresse of a website was used to try to hack the social network of my company. We did not get in contact by mail to this guy and we could not reach him by phone, like stated on his website. So I guess, it would not have been helpful for him, to have another account. ;-)

@herrdoering The age of an RFC is irrelevant. TCP still applies as well. :-)

I’ve had good experience with having security@ both as a receiver and as a sender.
People do stumble over security related issues by accident at times.

I want to make it easy for others to tell me if they find something. I’ll happily shoot a one-off email to security@ in case but won‘t dig around for hours just to find the right contact if there is any.

You‘re free to implement it or let it be.

@herrdoering @MacLemon security-related information. Should go to your it security creature, who is not necessarily your webmaster. If the two roles fall together, it's still good to have both addresses, for ease of communication.

Spam is a solved problem, spamfilters have become good. A minimal spam filtering effort is the price of doing business, much like minimal maintenance is the price of doing it

Sign in to participate in the conversation – a Fediverse instance for & by the Chaos community