security.txt is currently an Internet draft that has been submitted for RFC review.
https://github.com/securitytxt/security-txt
And as a followup to T158119, we could/should probably expand SECURITY in mw core to say something similar
Where should I put the security.txt file?
The security.txt file should be placed under the /.well-known/ path (/.well-known/security.txt) [RFC5785].
Not sure if using /.well-known/ is going to cause an issue. Probably a question for SRE under Wikimedia-Apache-configuration
Spurred by more security bugs going to OTRS, so either people are lazy, or we're not visible enough... Or security@domain isn't as common as we'd think