You should add a security.txt
I just want to make everyone aware of the great concept of the security.txt
file, which is very useful for receiving vulnerability reports for services
you’re using or providing. I have received two reports already and am quite
happy to report that both have been resolved (on was solved by just taking down
the service as was planned beforehand).
The policy itself is pretty straightforward, and can be understood by everyone. Here is mine, and as you will see it’s quite self-explanatory:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Contact: mailto:moritz@poldrack.dev
Contact: mailto:~poldi1405/security@lists.sr.ht
Expires: 2024-12-31T23:00:00.000Z
Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/190A743436A77032B4E17C9F47DF8FD1598E633F
Encryption: https://moritz.sh/pgp-key.txt
Preferred-Languages: de, en
Canonical: https://moritz.sh/.well-known/security.txt
Canonical: https://git.sr.ht/~poldi1405/website/tree/master/item/static/.well-known/security.txt
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQTL+OUT8rbB/4DIG62EJtcJm4xt2gUCYwFOqQAKCRCEJtcJm4xt
2gDtAQCILpZ7UumwbZYuJGEzdXCvax7Y5WKyDwloyob+rJ5u0gD/cY0fWu+QWwl6
ISS0aH6uHlMVcYsn2W8t0YAAq6E8BQ0=
=q+f3
-----END PGP SIGNATURE-----
You can go ahead and generate your’s right now using this handy generator.