This article presents what it claims is the generally accepted approach, makes a viable case for why the author thinks it should be the generally accepted approach, but doesn’t actually back up why they think it really is generally accepted.
A reminder that coordinated disclosure is an option but if you’ve identified a security problem outside of contracted work, you can make your own assessment about how you proceed.
security.txt: https://en.wikipedia.org/wiki/Security.txt
Responsible disclosure -> CVD: Coordinated Vulnerability Disclosure: https://en.wikipedia.org/wiki/Coordinated_vulnerability_disc...
OWASP Vulnerability Disclosure Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability...