[arch-devops] security at archlinux.org address
Morten Linderud
foxboron at archlinux.org
Mon Feb 18 09:57:16 UTC 2019
On Mon, Feb 18, 2019 at 04:48:57AM -0500, Daniel M. Capella via arch-devops wrote:
> https://securitytxt.org/
It would be a bit benefitial if you made an argument instead of posting a link.
I'll quote somebody elses experience with this, which makes me inclined to
believe this is a bad idea in general.
"it seems I ended up having endless discussions with people who automated
the whole thing: they crawl the web for /.well-known/security.txt URI and if
the find it, automatically start-up metasploit or burp-suite and then send
you the canned report while asking you to fix these "serious problems". Yet
if you quiz any of these "researchers" deeper about individual items in
their canned reports you get nothing but blank stares, incompetence and
attempts to weasel out: "but burpsuite says that it is an error and you
should correct it", ..."
https://news.ycombinator.com/item?id=19152145
It's also worth noting that the link is not an argument for, or against, a
"security at archlinux.org" address in contrast to a listing of team members. This
is just an option to make it known.
--
Morten Linderud
PGP: 9C02FF419FECBE16
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20190218/058ffb68/attachment.sig>
More information about the arch-devops
mailing list