Add security.txt File to Enhance Vulnerability Reporting

[cmaliwal]

Prerequisites

• [X] I checked the documentation and made sure this feature does not already exist
• [X] I checked the existing issues to make sure this feature has not already been requested

Feature

The server currently lacks a security.txt file, which is considered a best practice for improving web security. The security.txt file offers a standardized mechanism for security researchers to report vulnerabilities, thereby enhancing our ability to address potential security issues in a timely manner. This feature is widely adopted by major organizations like Google, Facebook, and GitHub, as well as endorsed by governmental bodies across the globe. Implementing this file would align us with industry standards and improve our security posture by providing a designated channel for vulnerability disclosure.

Additional Information (Optional)

“When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.”

security.txt files have been implemented by Google, Facebook, GitHub, the UK government, and many other organisations. In addition, the UK’s Ministry of Justice, the Cybersecurity and Infrastructure Security Agency (US), the French government, the Italian government, the Dutch government, and the Australian Cyber Security Centre endorse the use of security.txt files.

[jrriehl]

Good points, thanks for creating the issue.