Dear IT-humans: Please do yourselves a favour and create security@ as an email address on all of your domains which is actually routed and read by someone with knowledge about your IT!
That way you make it easy for people who accidentally stumble upon security issues with your infrastructure to actually report them to you.

The sheer fact of having and reading security@ (as mandated by RFC 2142) will help improving your IT security.

ietf.org/rfc/rfc2142.txt

@MacLemon How are your experiences with that? I already have a "webmaster" account on all domains. Have you had personal positive experiences, that this additional address is helpful?

This RFC is from 1997. This is 22 years old now! And I call it into question, that an additional "security" account is helpful today, except for another handful of spammers.

If somebody is abused by my domain, there would also be "abuse". The same: Most abused devices will be a bunch of cheap cameras, routers and other devices not ever improved by any firmware update and such.

And what whould be sent to "security"? I personally would not give others advices for security issues in normal cases: I would not check other sites for this kind of issues. And if, I normally know the person behind and have a personal link to him.

One time I had an issue, because an email addresse of a website was used to try to hack the social network of my company. We did not get in contact by mail to this guy and we could not reach him by phone, like stated on his website. So I guess, it would not have been helpful for him, to have another account. ;-)
Follow

@herrdoering The age of an RFC is irrelevant. TCP still applies as well. :-)

I’ve had good experience with having security@ both as a receiver and as a sender.
People do stumble over security related issues by accident at times.

I want to make it easy for others to tell me if they find something. I’ll happily shoot a one-off email to security@ in case but won‘t dig around for hours just to find the right contact if there is any.

You‘re free to implement it or let it be.

Sign in to participate in the conversation
chaos.social

chaos.social – a Fediverse instance for & by the Chaos community