The specification for
security.txt, to let tools and security researchers know how to report vulnerabilities, is entering its final phase.
I suggest that you start serving the file from
Contact: https://tidelift.com/security Preferred-Languages: en Canonical: https://tidelift.com/.well-known/security.txt Policy: https://tidelift.com/security
Preferably you also add a digital signature.
I think it would also be great if Lifted projects that have their own domain would get a task to add/modify their own file. For our project, we’ve listed tidelift as well as our own contact and policy data.
What do you think?