The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.
security.txt is currently an Internet draft that has been submitted for RFC review. This means that security.txt is still in the early stages of development. We welcome contributions from the public: https://github.com/securitytxt/security-txt
The current draft states that the security.txt file should be located under the top-level directory. We are currently debating whether or not the file should be placed under the /.well-known/ path (/.well-known/security.txt) [RFC5785]. The discussion can be found here.
The email value is an optional field. If you are worried about spam you can set a URI as the value and link to your security policy.
The editor would like to acknowledge the help provided during the development of security.txt by the following individuals:
Tom Hudson helped writing the "File Format Description" and wrote several security.txt parsers.
Joel Margolis was a big help when it came to wording the Internet draft appropriately.
Jobert Abma for raising issues and concerns that might arise when using certain directives.
Gerben Janssen van Doorn for reviewing the Internet draft multiple times.
Justin Calmus was always there to answer questions related to writing the Internet draft.
Casey Ellis had several ideas related to security.txt that helped shape security.txt itself.
Ryan Black for registering securitytxt.org and setting up the website.