RFC 9116 was published this year, which promotes having /.well-known/security.txt as a standard file woth contact information for security issues.
It also notes that having this file does not mean you're running a CTF exercise :)
https://www.rfc-editor.org/rfc/rfc9116