[Feature] Serve a /.well-known/security.txt file

[AverageHelper]

I have searched the existing feature requests to make sure this is not a duplicate request.

• Yes

The feature

Immich instances should serve a text file at /.well-known/security.txt, and one at https://immich.app, to direct researchers in a standard way what to do about reporting security vulnerabilities.

security.txt (https://securitytxt.org) is a proposed standard for websites to make their security policy easy for researchers to find. Such a file might be served at https://immich.app/.well-known/security.txt, with a similar file served by individual Immich instances.

For example, Forgejo instances serve one that directs readers to the main project. This could be adapted to Immich like so:

# This site is running an Immich instance.
# Immich-related security problems should be reported to the Immich security team.
# Security problems related to this instance should be reported to its administration.
Policy: https://github.com/immich-app/immich/blob/ba7280288870eb740aa93fc17374ff1f062f371d/SECURITY.md
Contact: mailto:[email protected]
Preferred-Languages: en
Expires: 2025-12-25T00:00:00Z

Forgejo's own website also serves one, which Immich might adapt like so:

Contact: mailto:[email protected]
Expires: 2025-12-25T00:00:00.00Z
Preferred-Languages: en
Canonical: https://immich.app/.well-known/security.txt

Largely the same, but note the Canonical entry. Immich might also consider adding a Policy entry as well pointing to SECURITY.md, and an additional Contact entry (the file may contain multiple) that links to GitHub's Draft Advisory page.

Bonus points:

• Consider a redirect from /security.txt to /.well-known/security.txt, for convenience.

I'd be happy to create a pull request to add these files. The real trick is the maintenance burden to keep the Expires date(s) current, and to update the Contact entries as needed, so I figure the team should give input first.

Platform

• Server
• Web
• Mobile