Dear IT-humans: Please do yourselves a favour and create security@ as an email address on all of your domains which is actually routed and read by someone with knowledge about your IT!
That way you make it easy for people who accidentally stumble upon security issues with your infrastructure to actually report them to you.
The sheer fact of having and reading security@ (as mandated by RFC 2142) will help improving your IT security.
@herrdoering The age of an RFC is irrelevant. TCP still applies as well. :-)
I’ve had good experience with having security@ both as a receiver and as a sender.
People do stumble over security related issues by accident at times.
I want to make it easy for others to tell me if they find something. I’ll happily shoot a one-off email to security@ in case but won‘t dig around for hours just to find the right contact if there is any.
You‘re free to implement it or let it be.
chaos.social – a Fediverse instance for & by the Chaos community