%% You should probably cite rfc9116 instead of this I-D. @techreport{foudil-securitytxt-04, number = {draft-foudil-securitytxt-04}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-foudil-securitytxt/04/}, author = {Edwin Foudil and Yakov Shafranovich}, title = {{A Method for Web Security Policies}}, pagetotal = 19, year = 2018, month = jul, day = 16, abstract = {When security risks are discovered by independent security researchers, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. This document defines a standard ("security.txt") to help organizations describe the process for security researchers to follow in order to disclose security vulnerabilities securely.}, }