Hi Paul, On Thu, Aug 06, 2020 at 06:58:56PM -0400, Paul Wouters wrote: > On Fri, 7 Aug 2020, Jay Daley wrote: > > >> Is the overall effort here really just framing what the security.txt > >> for all IETF-LLC properties/things should be? > > > > Is it your recommendation that we publish a security.txt? If we were to then I would imagine it would do no more than point to this policy. > > Please don't publish a security.txt file. See the previous discussions > on SAAG why security.txt is not useful, and actually harmful. I'm not sure that's an accurate characterization of the previous discussions. My notes from the IETF LC indicate that it is perceived to be harmful when used to attempt to report cases of active compromise, but that there is an important distinction between a state of active compromise and a state of vulnerability. I'm happy to have additional discussion on that matter, but it's probably most appropriate to have it as a continuation of https://mailarchive.ietf.org/arch/msg/saag/bmsyx9JKnuugpHvajw9svD0B0ks/ . Thanks, Ben
