[arch-devops] security at archlinux.org address

Morten Linderud foxboron at archlinux.org
Mon Feb 18 09:57:16 UTC 2019

On Mon, Feb 18, 2019 at 04:48:57AM -0500, Daniel M. Capella via arch-devops wrote:
> https://securitytxt.org/

It would be a bit benefitial if you made an argument instead of posting a link.
I'll quote somebody elses experience with this, which makes me inclined to
believe this is a bad idea in general.

    "it seems I ended up having endless discussions with people who automated
    the whole thing: they crawl the web for /.well-known/security.txt URI and if
    the find it, automatically start-up metasploit or burp-suite and then send
    you the canned report while asking you to fix these "serious problems". Yet
    if you quiz any of these "researchers" deeper about individual items in
    their canned reports you get nothing but blank stares, incompetence and
    attempts to weasel out: "but burpsuite says that it is an error and you
    should correct it", ..."


It's also worth noting that the link is not an argument for, or against, a
"security at archlinux.org" address in contrast to a listing of team members. This
is just an option to make it known.

Morten Linderud
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20190218/058ffb68/attachment.sig>

More information about the arch-devops mailing list