w3c
Policy on security-related feedback?
I want to make an issue on the Security Considerations of the Recommendation. But I'm not sure if the public issue tracker is appropriate for that kind of issue, and would like to know if there is a policy on feedback like that.
I believe my would-be issue is about something like a phishing vector (akin to hoax "verified links") and nothing beyond that. Also, it's not about a totally zero-day threat, though I don't think the topic is quite widely recognized either.
One approach here could be github's security advisories, https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories . @evanp if you add a SECURITY.md file, https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository , @tesaguri could report a security advisory privately.
I added a security document. I need to get admin access to the repo to set up security submissions. I'm going to self-assign and follow up on that.
