On Mon, Feb 18, 2019 at 04:48:57AM -0500, Daniel M. Capella via arch-devops wrote:
It would be a bit benefitial if you made an argument instead of posting a link. I'll quote somebody elses experience with this, which makes me inclined to believe this is a bad idea in general. "it seems I ended up having endless discussions with people who automated the whole thing: they crawl the web for /.well-known/security.txt URI and if the find it, automatically start-up metasploit or burp-suite and then send you the canned report while asking you to fix these "serious problems". Yet if you quiz any of these "researchers" deeper about individual items in their canned reports you get nothing but blank stares, incompetence and attempts to weasel out: "but burpsuite says that it is an error and you should correct it", ..." https://news.ycombinator.com/item?id=19152145 It's also worth noting that the link is not an argument for, or against, a "security@archlinux.org" address in contrast to a listing of team members. This is just an option to make it known. -- Morten Linderud PGP: 9C02FF419FECBE16