Serving security.txt

The specification for security.txt, to let tools and security researchers know how to report vulnerabilities, is entering its final phase.

Tidelift website

I suggest that you start serving the file from https://tidelift.com/.well-known/security.txt

Example contents:

Contact: https://tidelift.com/security
Preferred-Languages: en
Canonical: https://tidelift.com/.well-known/security.txt
Policy: https://tidelift.com/security

Preferably you also add a digital signature.

Lifted Projects

I think it would also be great if Lifted projects that have their own domain would get a task to add/modify their own file. For our project, we’ve listed tidelift as well as our own contact and policy data.

What do you think?

1 Like

@r.spilker thank you for this amazing feedback! I’ll share with the team and get their thoughts and let you know if we have any questions.