Hi, On Fri, Jan 23, 2026 at 01:51:29PM +0000, Peter Gutmann wrote: > In the meantime I think the cURL folks approach is worth a mention: > > https://curl.se/.well-known/security.txt > > (Third sentence).
Let's please be posting actual content in here, not only links (but links as well). Peter is referring to: # We will ban you and ridicule you in public if you waste our time on crap # reports. The full content from the URL above: --- #*************************************************************************** # _ _ ____ _ # Project ___| | | | _ \| | # / __| | | | |_) | | # | (__| |_| | _ <| |___ # \___|\___/|_| \_\_____| # # The curl open source project accepts security reports for problems found in # products made by the curl project. # # We offer NO (zero) rewards or other kinds of compensation for reported # problems, but we offer gratitude and acknowledgments clearly stated in # documentation around confirmed issues. # # We will ban you and ridicule you in public if you waste our time on crap # reports. Contact: mailto:[email protected] Contact: https://github.com/curl/curl/security/advisories Policy: https://curl.se/dev/vuln-disclosure.html Preferred-Languages: en Acknowledgments: https://curl.se/docs/security.html Expires: 2026-10-25T00:00:00Z Canonical: https://curl.se/.well-known/security.txt --- Alexander P.S. While our list content guidelines ask not to post conference CFPs, I felt this thread was more focused on this community and sufficiently different from a CFP to let it through.
