The idea behind Security.txt is straightforward: The organization places a file called security.txt in a predictable place — such as example.com/security.txt, or example.com/.well-known/security.txt. What’s in the security.txt file varies somewhat, but most include links to information about the entity’s vulnerability disclosure policies and a contact email address.
Source: https://krebsonsecurity.com/2021/09/does-your-organization-have-a-security-txt-file/
Check out some examples: