[gregmac]

Yeah, I was looking for the same. All the draft [1] says is:

    2.5.  Disclosure:

    Specify your disclosure policy.  This directive MUST be a disclosure
    type.  The "Full" value stands for full disclosure, "Partial" for
    partial disclosure and "None" means you do not want to disclose
    reports after the issue has been resolved.  The presence of a
    disclosure field is NOT permission to disclose vulnerabilities and
    explicit permission MUST be saught where possible.

In contrast, the actual generator tool on the website uses a URL (https://example.com/disclosure.html) as a placeholder, which doesn't comply with this section.

[1] https://tools.ietf.org/html/draft-foudil-securitytxt-00#sect...

[tedunangst]

Explicit permission must be saught (sic)? How does that work?

[tptacek]

It doesn't even make sense if you assume the terms are defined, because disclosure obligations are bilateral. If I'm reporting a bug to your site because I've found a new ImageMagick vulnerability, it is more likely that I the reporter want an embargo from you the site operator than the other way around.