add security.txt and /contact#help-security

app/views/site/contact.scala

@@ -196,6 +196,29 @@ object contact {
           p("If you faced an error page, you may report it:"),
           howToReportBugs
         )),
+        Leaf("security", "Security vulnerability", frag(
+          p(s"Please report security issues to $contactEmail."),
+          p(
+            "Like all contributions to Lichess, security reviews and pentesting are appreciated. ",
+            "Note that Lichess is built by volunteers and we currently do not have a bug bounty program. ",
+            "At your option, we're happy to publicly thank you for any findings."
+          ),
+          p(
+            "Vulnerabilities are relevant even when they are not directly exploitable, ",
+            "for example XSS mitigated by CSP."
+          ),
+          p(
+            "When doing your research, please minimize negative impact for other users. ",
+            "As long as you keep this in mind, testing should not require prior coordination. ",
+            "Avoid spamming, DDoS and volumetric attacks."
+          ),
+          p(
+            "We believe transport encryption should be sufficient for all reports. ",
+            "If you insist on using PGP, please clarify the nature of the message ",
+            "in the plain-text subject and encrypt for ",
+            a(href := "/.well-known/gpg.asc")("multiple recipients"), "."
+          )
+        )),
         Leaf("other-bug", "Other bug", frag(
           p("If you found a new bug, you may report it:"),
           howToReportBugs

security.txt

@@ -0,0 +1,5 @@
+Contact: mailto:contact@lichess.org
+Encryption: https://lichess.org/.well-known/gpg.asc
+Preferred-Languages: en
+Canonical: https://lichess.org/.well-known/security.txt
+Policy: http://localhost/contact#help-security