Re: [specification] Interesting new movement to include "security.txt" files in projects

Mike Linksvayer

Yes is for web sites/services, for example

SECURITY.* in a code repository typically alongside LICENSE -- though GitHub also looks in a couple other locations -- I'm not aware of any commonplace or standard texts or structure but I may be ignorant. Anyway a few examples are

Yes both .well-known in the website context and well known files in the codebase context arguably run risk of overpopulation, but it seems like making it easy to find out how to report security issues is quite important.


On Tue, Mar 21, 2023 at 4:18 AM Steve Kilbane <stephen.kilbane@...> wrote:

Is this JUST for web services? The location section focuses on a fixed URL rather than, say, a location within a source repo. But then, I've barely skimmed the document.


From: specification@... <specification@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Tuesday, 21 March 2023 at 09:02
To: OpenChain Main <main@...>, OpenChain Specification <specification@...>
Subject: [specification] Interesting new movement to include "security.txt" files in projects


Jeff flagged this on our monthly call (2023-03-21);!!A3Ni8CS0y2Y!4oNmnVaJi1ThUDrgRh9uv_JNA453-F3t53lxrZas_EttVsn4Meu5Sekc11vsYinHcOzc-V7xZlKX5iXMiun22KfB2WF-Mz4$

It is like LICENSE files but for security.

What do you think? Have you heard about this? Useful in your workflow?

Join to automatically receive all group messages.