On Thu, May 21, 2026 at 10:46:49AM -0400, Paul Wouters wrote: > Without commenting on the usefulness of security.txt, I just wanted to > point out fedoraproject seems to publish one not on the main domain but on > the admin subdomain: > > https://admin.fedoraproject.org/.well-known/security.txt Yes, we do. > RFC9116 seems to believe it should be available per service name and that > one on the main domain (or on on www.) would not cover anything else (eg > sub domains). > > I don't think this is only available on admin.fedoraproject.org by design, > but I could be wrong. The situation does however match my personal (not > endorsed by Fedora) feelings about security.txt in general :) Yeah. I don't know that we want to produce a security.txt for every subdomain we have, especially when they would likely be all the same contents. > Note when you google for "fedora security" you do get to > https://fedoraproject.org/security/ that also has contact information at > the bottom. > > Paul, not speaking for the Fedora Project here kevin, speaking for fedora infrastructure, but agreeing with Paul. ;) kevin -- > > > > > > > > On Wed, May 20, 2026 at 7:32 PM AIFB-security-txt-study < > security-txt-study@aifb.kit.edu> wrote: > > > Greetings, > > > > we are researchers from the university in Karlsruhe, Germany, the > > Karlsruhe Institute of Technology (KIT). We are contacting you today, > > because by analyzing the most visited domains [1] we found that your domain > > fedoraproject.org is seemingly not providing contact information for a > > security contact via a security.txt [2]. > > > > As part of our research project on vulnerability notifications [3] we are > > investigating why domain owners do not provide a security.txt. We aim to > > identify reasons for non-adoption, as well as reasons that hinder or delay > > adoption. In case you already provide security contact information in other > > forms, we also highly appreciate your response. > > > > Your perspective is very valuable to us, as it helps us pinpoint specific > > issues that we need to take into account when developing recommendations > > and awareness materials. > > > > To allow you to respond anonymously, we have created an online survey. The > > survey will take about 5 minutes to complete. The survey can be accessed > > via the following link: https://soscisurvey.scc.kit.edu/securitytxt > > > > Alternatively, we also appreciate your feedback as response to our email. > > Please find the questions below. > > > > Thank you very much for your time and support! > > > > Best regards, > > Anne Hennig > > > > [1] https://tranco-list.eu/ > > [2] https://securitytxt.org > > [3] https://s.kit.edu/vulnerability-notifications > > > > > > QUESTIONS > > 1. Have you ever heard about security.txt before? [Yes / No] > > 1.1 If yes: On what occasion did you hear about security.txt? > > 2. Have you already implemented or are you planning to implement > > security.txt for your domain? [Yes / No / Already implemented / I provide > > contact information in other forms (please specify)] > > 2.1 If in planning: What is your timeline for the implementation? Why > > did you decide to implement a security.txt? What are your greatest > > concerns? What benefits do you expect? > > 2.2 If no implementation planned: Why did you decide not to implement > > a security.txt? What are your greatest concerns? What would motivate you to > > implement a security.txt? Can you think of potential benefits when > > implementing a security.txt? > > 2.3 If already implemented: Why did you decide to implement a > > security.txt? What were your greatest concerns before implementation? What > > benefits did you expect? What are your current experiences? > > 3. Demographic information: > > 3.1 In which country is your organization mainly located? > > 3.2 What is your role with regard to the domain we contacted? > > 3.3 What sector does your organization of business belong to? > > 3.4 How many employees does your organization or business have? [1-9, > > 10-49, 50-249, 250-499, 500-999, 1000-4.999, 5.000 or more] > > > > ----------- > > > > Legal Disclaimer: > > The legal basis for the processing of your personal data is Article > > 6(1)(e) in conjunction with Article 6(3) of the General Data Protection > > Regulation (GDPR) and Section 13(1) of the Baden-Württemberg State Data > > Protection Act. > > > > In accordance with Articles 13 and 14 of the GDPR, we hereby inform you > > that we have processed your contact information for scientific research > > purposes without having obtained your prior consent. The processing is > > carried out exclusively for the purpose of inviting you to participate in > > the aforementioned study. You have the right at any time to have your > > contact information deleted and to object to further contact. > > > > We will not contact you again for the purpose of this study. Your name and > > email address, will be stored separately from your responses. It is not > > possible to identify you personally from this data. We will delete your > > contact information at the end of the project. > > > > ----------- > > > > Karlsruhe Institute of Technology (KIT) > > Institute of Applied Informatics and Formal Description Methods (AIFB) > > Research Group Security • Usability • Society (SECUSO) > > > > Anne Hennig, M.A. > > Research Associate > > > > E-Mail: anne.hennig@kit.edu > > > > Registered Office > > Kaiserstraße 12, 76131 Karlsruhe > > > > KIT – The University in the Helmholtz-Association > > -- _______________________________________________ websites mailing list -- websites@lists.fedoraproject.org To unsubscribe send an email to websites-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/websites@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
No comments:
Post a Comment