reply on: How private are the messages in a LN transaction? \ stacker news ~bitcoin

0 sats \ 6 replies \ @ek 17 Dec 2023 \ parent \ on: How private are the messages in a LN transaction? bitcoin_beginners

I think if someone does not look into the README of a project or the FAQ to check for responsible disclosure procedures, they definitely won't look up if there is a security.txt

So I don't think using security.txt would help us with this problem of people shooting first and asking questions later.

Do you agree?

I also don't agree with your view on CVD. Even though I appreciate your comment, I wasn't aware that we're moving away from "responsible disclosure". Will ask my itsec circle friends what they think about this.

However, we can of course also have a security.txt.

Just want to say that I think your reasoning doesn't make sense to me.

assuming that everybody will read the source code and be aware of that message in the "readme" file,

Are you saying reading source code is the same as reading a README?

1524 sats \ 4 replies \ @beorange 17 Dec 2023

Are you saying reading source code is the same as reading a README?

I'm saying I never looked at the source code of stacker.news and I never even visited the repository. If I, for some reason, would find a problem/vulnerability, just by navigating the website I would not know how to report the issue.

I'm a user, not a programmer or developer, so I don't generally look at Github and other sites where you store/share the source code. Just out of curiosity, I've just checked the FAQ and there is in fact a line at the bottom of the page, but there is no index and that's a lot of scrolling and reading.

Someone motivated to report the issue would eventually find that information after some hops. Others less motivated, would not report or would write it in a comment, and I don't blame them.

I'm just saying that "security.txt" is straight forward and kind of a standard, so independently of the website or project that is the first place I look at.

0 sats \ 3 replies \ @ek 17 Dec 2023

I'm just saying that "security.txt" is straight forward and kind of a standard, so independently of the website or project that is the first place I look at.

Ah ok, I see where the misunderstanding comes from. I must admit, I didn't read the link you provided properly. I just assumed that you meant we should create a SECURITY.txt inside our repository. This didn't make sense to me since you mentioned you wouldn't look inside the repository anyway.

But now I properly read what is written in the link. You mean we should have a security.txt hosted here. This makes sense, thanks! I will create a ticket for this.

but there is no index

There is an index:

We also have a search function integrated in the index:

138 sats \ 2 replies \ @beorange 18 Dec 2023

There is an index: We also have a search function integrated in the index:

ah ah! good catch, didn't know about that. Always learning.

0 sats \ 0 replies \ @ek 19 Dec 2023

Always learning.

As we do :) Btw, thanks for your advice regarding security.txt. I appreciate it (my previous responses may not have sounded like I do, lol)

0 sats \ 0 replies \ @ek 19 Dec 2023

deleted by author

0 sats \ 0 replies \ @ek 17 Dec 2023

Even though I appreciate your comment, I wasn't aware that we're moving away from "responsible disclosure". Will ask my itsec circle friends what they think about this.

/cc @evmbro