It is not a draft: https://datatracker.ietf.org/doc/html/rfc9116
Source: https://securitytxt.org Yes, I know apache.org has their own page, and I would not add any contradicting information. In fact, there's a policy field taking an URL which should point to the apache.org policy (https://www.apache.org/security/#reporting-a-vulnerability). -Ben Am So., 20. Nov. 2022 um 19:32 Uhr schrieb Romain Manni-Bucau <rmannibu...@gmail.com>: > > Hi, > > AFAIK it is still a draft which can not go anywhere (or go elsewhere like > .security/ for some exposure reason since .well-known already has adoption > and rules) and I didn't see it much adopted yet. However at apache we have > kind of standards for that so isn't it too early to adopt it? > > Romain Manni-Bucau > @rmannibucau <https://twitter.com/rmannibucau> | Blog > <https://rmannibucau.metawerx.net/> | Old Blog > <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > <https://www.packtpub.com/application-development/java-ee-8-high-performance> > > > Le dim. 20 nov. 2022 à 18:48, Benjamin Marwell <bmarw...@apache.org> a > écrit : > > > Hi! > > > > Due to the recent GH activities (eg [1]), it came to my attention that > > there is no file ".well-known/security.txt" on maven.apache.org. > > > > We really should adopt it! > > For some more information, please refer to [2]. > > > > WDYT? > > > > - Ben > > > > [1]: https://github.com/apache/maven-project-utils/pull/5 > > [2]: https://developer.okta.com/blog/2021/10/19/intro-security-txt > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
