To server admins:
One upcoming but already widespread format is the security.txt file at https://your-server/.well-known/security.txt.
@infosechandbook Just added one to my site this week.
@infosechandbook as nice as the standard is, we already see automated scanners ramping up, sending emails about vulnerabilities to you, that are all false positives. In other words this standard is sadly the best way to make your security team reluctant to actual security issues because it becomes a "known red corner".
The proposed standard doesn't require to include an actual e-mail address. You can add a link to a contact page, for example, that implements some anti-bot measures.
We deployed the file many months ago and we actually see scanners, but we didn't get a single spam mail.
chaos.social – a Fediverse instance for & by the Chaos community