Add an indicator and procedure to check for security.txt

[billfitzgerald]

This check should be in the existing section on Vulnerability disclosure program:

The precise location of this new indicator should be under this Criteria: Security > Data Security > Vulnerability disclosure program > The company is willing and able to address reports of vulnerabilities.

• Indicator: The company publishes a security.txt file in the .well-known directory that contains relevant contact information for security researchers
• Procedure: Check the web site of the company for the presence of a security.txt file.
• Procedure: Check the privacy policy, terms of service, or some other legally binding document for information about the location of the security.txt file

[billfitzgerald]

For more info and details (or possibly to refine the language) see https://securitytxt.org/