> I'm just saying that "security.txt" is straight forward and kind of a standard, so independently of the website or project that is the first place I look at.

Ah ok, I see where the misunderstanding comes from. I must admit, [I didn't read the link you provided](https://securitytxt.org/) properly. I just assumed that you meant we should create a `SECURITY.txt` _inside_ our repository. This didn't make sense to me since you mentioned you wouldn't look inside the repository anyway.

But now I properly read what is written in the link. You mean we should have a security.txt hosted [here](https://stacker.news/.well-known/security.txt). This makes sense, thanks! I will create a ticket for this.

> but there is no index

There is an index:

![2023-12-17-231904_1920x1080_scrot.png](https://m.stacker.news/8506)

We also have a search function integrated in the index:

![2023-12-17-231859_1920x1080_scrot.png](https://m.stacker.news/8507)

> Are you saying reading source code is the same as reading a README?

I'm saying I never looked at the source code of stacker.news and I never even visited the repository. If I, for some reason, would find a problem/vulnerability, just by navigating the website I would not know how to report the issue. 

I'm a user, not a programmer or developer, so I don't generally look at Github and other sites where you store/share the source code. Just out of curiosity, I've just checked the FAQ and there is in fact a line at the bottom of the page, but there is no index and that's a lot of scrolling and reading.

Someone motivated to report the issue would eventually find that information after some hops. Others less motivated, would not report or would write it in a comment, and I don't blame them.

I'm just saying that "security.txt" is straight forward and kind of a standard, so independently of the website or project that is the first place I look at.

beorange

> Even though I appreciate your comment, I wasn't aware that we're moving away from "responsible disclosure". Will ask my itsec circle friends what they think about this.

/cc @evmbro

I think if someone does not look into the README of a project or the [FAQ](/faq) to check for responsible disclosure procedures, they definitely won't look up if there is a security.txt

So I don't think using security.txt would help us with this problem of people shooting first and asking questions later.

Do you agree?

I also don't agree with your view on CVD. Even though I appreciate your comment, I wasn't aware that we're moving away from "responsible disclosure". Will ask my itsec circle friends what they think about this.

However, we can of course _also_ have a security.txt.

Just want to say that I think your reasoning doesn't make sense to me.

> assuming that everybody will read the source code and be aware of that message in the "readme" file,

Are you saying reading source code is the same as reading a README? 

bitcoin_beginners

How private are the messages in a LN transaction?

siggy47

IMHO, "Responsible disclosure" is a bad term, it kind of attaches the responsibility of the problem to the person that found it. In my view "[Coordinated disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure)" is a much better term. 

One suggestion is that instead of assuming that everybody will read the source code and be aware of that message in the "readme" file, perhaps having a [security.txt](https://securitytxt.org/) can be more helpful, since it is becoming more and more standard.