sknebelhm, rereading the webmention spec the security section focusses on the sender side in a few subsections (don't send WMs to localhost, don't send WMs to servers in private networks), but the same concerns apply similarly to webmention verification?
