To server admins:

It is a good practice to provide contact details, so others can contact you in case of security vulnerabilities or questions regarding your privacy policy.

One upcoming but already widespread format is the security.txt file at https://your-server/.well-known/security.txt.

See and

@infosechandbook as nice as the standard is, we already see automated scanners ramping up, sending emails about vulnerabilities to you, that are all false positives. In other words this standard is sadly the best way to make your security team reluctant to actual security issues because it becomes a "known red corner".


The proposed standard doesn't require to include an actual e-mail address. You can add a link to a contact page, for example, that implements some anti-bot measures.


We deployed the file many months ago and we actually see scanners, but we didn't get a single spam mail.

Sign in to participate in the conversation – a Fediverse instance for & by the Chaos community