5555 sats \ 7 replies \ @beorange 17 Dec 2023 \ parent \ on: How private are the messages in a LN transaction? bitcoin_beginners
IMHO, "Responsible disclosure" is a bad term, it kind of attaches the responsibility of the problem to the person that found it. In my view "Coordinated disclosure" is a much better term.
One suggestion is that instead of assuming that everybody will read the source code and be aware of that message in the "readme" file, perhaps having a https://securitytxt.org/ can be more helpful, since it is becoming more and more standard.
I think if someone does not look into the README of a project or the FAQ to check for responsible disclosure procedures, they definitely won't look up if there is a security.txt
So I don't think using security.txt would help us with this problem of people shooting first and asking questions later.
Do you agree?
I also don't agree with your view on CVD. Even though I appreciate your comment, I wasn't aware that we're moving away from "responsible disclosure". Will ask my itsec circle friends what they think about this.
However, we can of course also have a security.txt.
Just want to say that I think your reasoning doesn't make sense to me.
assuming that everybody will read the source code and be aware of that message in the "readme" file,
Are you saying reading source code is the same as reading a README?