The proposal is to place the file at /.well-known/security.txt.
And even if it wasn't, there is plenty of namespace room to put every file someone argues for in a 2-page RFC at root. After all, there are only 1024 low-numbered TCP ports and we haven't run out of those yet.
Don’t get me wrong; I dig file-based interfaces, but each time they add another file, it’s another request.
And it’s Anglocentric to continue to unnecessarily put multiple English words into the path; those can’t be touched-up with a later RFC to support Japanese in the file content via a Lang attribute.
The whole thing is shit bad, I’m sorry. Just come up with something that makes fucking sense for once.
The web is not a junkyard.