Hello *,
I have implemented this for some clients and documented my experience here:
it seems that there is renewed pressure to get this draft signed off due to the latest BOD draft:
(from November 27, 2019) that makes the presence of a disclosure policy (using security.txt) mandatory on gov domains:
"Binding Operational Directive 20-01 Develop and Publish a Vulnerability Disclosure Policy" https://cyber.dhs.gov/bod/20-01/
it seems gov domains are already banking on this becoming a standard. I personally believe there is 0 value in standardizing this.
>
Create a security.txt15 file at the “/.well-known/” path16 of the
agency’s primary .gov domain. This file must include the Policy and
Contact fields, as specified in the Internet-Draft.17
best regards
~DA
Sent with ProtonMail Secure Email.
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
