security.txt files exist for a while now. It is a standard for websites to make it easier for security researchers and companies to find a point of contact for security issues. RFC 9116 just got published so it is good time to consider it.
Since the only really needed thing is to expose a text file under
/.well-known/security.txt there is already nothing preventing administrators to deploy one (in the same way they can use the ACME protocol with the HTTP challenge) but for basic use cases they might prefer that Tuleap manages this endpoint (less system configuration to manage).
This request proposes to add the possibility of defining a primary security contact and to publish
/.well-known/security.txt when one is defined. More complex needs can be contributed later on or administrators can still fallback to deploy their own