chore(docs): add security.txt

docs/public/.well-known/security.txt

@@ -0,0 +1,31 @@
+Contact: mailto:info@balazsorban.com
+Contact: mailto:hi@thvu.dev
+Contact: mailto:authjs-security@ndo.dev
+Acknowledgments: https://authjs.dev/security
+Preferred-Languages: en
+Canonical: https://authjs.dev/.well-known/security.txt
+
+# Security Policy
+
+NextAuth.js practices responsible disclosure.
+
+## Reporting a Vulnerability
+
+We request that you contact us directly to report serious issues that might impact the security of sites using NextAuth.js.
+
+If you contact us regarding a serious issue:
+
+- We will endeavor to get back to you within 72 hours.
+- We will aim to publish a fix within 30 days.
+- We will disclose the issue (and credit you, with your consent) once a fix to resolve the issue has been released.
+- If 90 days has elapsed and we still don't have a fix, we will disclose the issue publicly.
+
+The best way to report an issue is by contacting us via email at hi@thvu.dev, info@balazsorban.com and yo@ndo.dev, or raise a public issue requesting someone get in touch with you via whatever means you prefer for more details. (Please do not disclose sensitive details publicly at this stage.)
+
+> For less serious issues (e.g. RFC compliance for unsupported flows or potential issues that may cause a problem in the future) it is appropriate to submit these publicly as bug reports or feature requests or to raise a question to open a discussion around them.
+
+## Supported Versions
+
+Security updates are only released for the current version.
+
+Old releases are not maintained and do not receive updates.

docs/vercel.json

@@ -12,6 +12,11 @@
     }
   ],
   "redirects": [
+    {
+      "source": "/security.txt",
+      "destination": "/.well-known/security.txt",
+      "permanent": true
+    },
     {
       "source": "/new/provider-issue",
       "destination": "https://github.com/nextauthjs/next-auth/issues/new?assignees=&labels=triage%2Cproviders&template=2_bug_provider.yml",