@graffen I agree that more people should do that. Though there's discussion about /security.txt vs. /.well-known/security.txt and one would need to check for both anyway.
My personal approach is to have both files and point them to security@ (for consistency and ease of use).
@MacLemon I thought that discussion on the securitytxt github died a couple of years ago in favour of /.well-known/? Has it come up again? Personally I prefer to keep files like this away from my web root.
@graffen You're right, that was quite a while ago. My bad, I've updated my knowledge. :-)
A Mastodon instance for info/cyber security-minded people.