Dear IT-humans: Please do yourselves a favour and create security@ as an email address on all of your domains which is actually routed and read by someone with knowledge about your IT!
That way you make it easy for people who accidentally stumble upon security issues with your infrastructure to actually report them to you.

The sheer fact of having and reading security@ (as mandated by RFC 2142) will help improving your IT security.

@MacLemon or, place a .well-known/security.txt file in the root of your website with the required information on how to contact you.

@graffen I agree that more people should do that. Though there's discussion about /security.txt vs. /.well-known/security.txt and one would need to check for both anyway.
My personal approach is to have both files and point them to security@ (for consistency and ease of use).

@MacLemon I thought that discussion on the securitytxt github died a couple of years ago in favour of /.well-known/? Has it come up again? Personally I prefer to keep files like this away from my web root.


@graffen You're right, that was quite a while ago. My bad, I've updated my knowledge. :-)

· whalebird · 0 · 0 · 1
Sign in to participate in the conversation – a Fediverse instance for & by the Chaos community