Draft
Conversation
NovemberTang
commented
Apr 1, 2026
Author
There was a problem hiding this comment.
I don't think extensive testing of this change is necessary, but if someone from the team would be willing to pair with me to test this out, I'd be very appreciative!
I'm also happy to go over the purpose/format of the file with any interested reviewers.
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is the value of this and can you measure success?
Our security.txt file provides a route for security researchers to report vulnerabilities to us. It shows that we take security seriously, and that we have a process for evaluating security reports. Currently, it isn't working properly, which reduces reporter confidence in our process.
What does this change?
A few fields in the security.txt file are not working. They are all optional according to the RFC. I've updated
Hiring, which is easy to fix.Encryptionshould point to a public key. Currently, that key is inaccessible.Signaturepoints to a digital signature that is only verifiable using the public key. As this key is inaccessible, it's not possible to verify the signature, and this field is not usable.I've removed both of these fields temporarily so we can fix forward, without creating a frustrating experience for researchers.
N.B. There is a little more work to make the security.txt file valid according to the RFC. This PR does not intend to do that. The goal is that all the fields that do exist should work correctly.
Screenshots
This is a plaintext file, the git diff is the complete change
Checklist
data/databasefiles generated by tests are committed with this PR (the tests will fail in CI if you've forgotten to do this)