> On 7/08/2020, at 7:13 AM, Christopher Morrow <morrowc.lists@xxxxxxxxx> wrote: > > i hate to be late to the party, but.. > > Is the overall effort here really just framing what the security.txt > for all IETF-LLC properties/things should be? Is it your recommendation that we publish a security.txt? If we were to then I would imagine it would do no more than point to this policy. > … > I think the easiest thing to use is email, forcing a web interface is > rough on some folks :( > an email to a ticket system with auto-responder (and ideally both gpg > verification inbound and signing outbound) would be nice. > that could be published on the eventual security.txt even :) > "send gpg signed mail, if you can gpg sign, expect a gpg signed mail > from our ticket system with incident-id" Captured the basic part of this as "Automated response should be PGP signed" in https://github.com/ietf-llc/infrastructure-and-services-vulnerability-disclosure-statement/issues/7 > >> (2) > * What the email address should be for reports to be sent to. >> >> @Jay - Can you list the options being considered here to help aid the discussion? >> > > security@ ? :) See my crossing response about the problem with this - if you have any feedback on that it would be most welcome. Jay > >> Thanks >> Jason -- Jay Daley IETF Executive Director jay@xxxxxxxx
