Add a .well-known/security.txt file in

Hello everyone,

I discovered today a new RFC (RFC 9116: A File Format to Aid in Security Vulnerability Disclosure) whose goal is to help properly reporting security issues: basically this RFC defines a format of a security.txt file that can be automatically parsed to give information about to whom to report a vulnerability and what is the policy regarding vulnerabilities.

I think it might be a good idea to put such file on, so I propose that we add a file containing the following content:

# Our security address

# Our security policy

Expires: [1 year after publication]

About expiration date: the RFC strongly advise to put one, I propose that we modify the upgrade plan of to include checking the security.txt and updating the date when we do perform an upgrade.

The RFC also advises to sign this security.txt, I’m not sure if we already a public PGP key that we could use: if we have I guess we should use it.


Out of curiosity, do you know what’s the current adoption of this RFC? I’m mainly thinking of external tool that are indexing/scrapping security.txt files and doing something with them?

I don’t know but it says This document is not an Internet Standards Track specification; it is published for informational purposes..

We have one we are using to sign Debian repositories.

I haven’t looked but it’s really a young RFC so I don’t expect much adoption yet, it says:

Published: April 2022

I think it cannot hurt :wink:

One thing that we could improve too is to add a section in our release notes or on the hall of fame page on, about thanking security reporters. And then put a link to it in the security.txt file. Now we’ll need a process if we were to do that or we will forget. Also it raises the question of why recognizing security reporters vs bug reporters… I don’t have the answer, just raising the topic :wink:

Note that the RFC says to put this file under

Each committer has its own key ATM.

Thanks. I’m hesitant to do more paperwork for something that will not be useful to others in the end.
Then, if we derive this file from structured data (e.g., XObjects), then a least they can be reused for some other format later (or to continue/improve what we started during last hackathon).