pull down to refresh
0 sats \ 6 replies \ @ek 17 Dec 2023 freebie \ parent \ on: How private are the messages in a LN transaction? bitcoin_beginners
I think if someone does not look into the README of a project or the FAQ to check for responsible disclosure procedures, they definitely won't look up if there is a security.txt
So I don't think using security.txt would help us with this problem of people shooting first and asking questions later.
Do you agree?
I also don't agree with your view on CVD. Even though I appreciate your comment, I wasn't aware that we're moving away from "responsible disclosure". Will ask my itsec circle friends what they think about this.
However, we can of course also have a security.txt.
Just want to say that I think your reasoning doesn't make sense to me.
Are you saying reading source code is the same as reading a README?
Are you saying reading source code is the same as reading a README?
I'm saying I never looked at the source code of stacker.news and I never even visited the repository. If I, for some reason, would find a problem/vulnerability, just by navigating the website I would not know how to report the issue.
I'm a user, not a programmer or developer, so I don't generally look at Github and other sites where you store/share the source code. Just out of curiosity, I've just checked the FAQ and there is in fact a line at the bottom of the page, but there is no index and that's a lot of scrolling and reading.
Someone motivated to report the issue would eventually find that information after some hops. Others less motivated, would not report or would write it in a comment, and I don't blame them.
I'm just saying that "security.txt" is straight forward and kind of a standard, so independently of the website or project that is the first place I look at.
reply
I'm just saying that "security.txt" is straight forward and kind of a standard, so independently of the website or project that is the first place I look at.
Ah ok, I see where the misunderstanding comes from. I must admit, I didn't read the link you provided properly. I just assumed that you meant we should create a
SECURITY.txt
inside our repository. This didn't make sense to me since you mentioned you wouldn't look inside the repository anyway.But now I properly read what is written in the link. You mean we should have a security.txt hosted here. This makes sense, thanks! I will create a ticket for this.
but there is no index
There is an index:
We also have a search function integrated in the index:
reply
There is an index: We also have a search function integrated in the index:
ah ah! good catch, didn't know about that. Always learning.
reply
Always learning.
As we do :) Btw, thanks for your advice regarding security.txt. I appreciate it (my previous responses may not have sounded like I do, lol)
reply
deleted by author
reply
Even though I appreciate your comment, I wasn't aware that we're moving away from "responsible disclosure". Will ask my itsec circle friends what they think about this.
/cc @evmbro
reply