|
|
|
|
|
|
by jarrett
4519 days ago
|
|
|
Yes, that would definitely be a viable strategy. It's probably the easiest one, and it's what I would do. In general, using HTTPS for anything related to your bug bounty program is probably good hygiene. Though even without that, I don't think you need to have been to a lot of key signing parties. The entry point of trust could very well be another organization--not GitHub, not someone at a key signing party. As long as the signature chain points back to an identity you can trust, you're good to go. |
|
|