Re: [specification] Interesting new movement to include "security.txt" files in projects
toggle quoted message Show quoted text
Yes securitytext.org is for web sites/services, for example https://github.com/.well-known/security.txt
SECURITY.* in a code repository typically alongside LICENSE -- though GitHub also looks in a couple other locations https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository -- I'm not aware of any commonplace or standard texts or structure but I may be ignorant. Anyway a few examples are https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md https://github.com/microsoft/repo-templates/blob/main/shared/SECURITY.md https://github.com/github/.github/blob/main/SECURITY.md
Yes both .well-known in the website context and well known files in the codebase context arguably run risk of overpopulation, but it seems like making it easy to find out how to report security issues is quite important.
On Tue, Mar 21, 2023 at 4:18 AM Steve Kilbane <stephen.kilbane@...> wrote: