Hi,

We've come across the need to do this. Did you find a solution?

Many thanks,
Scott

Unfortunately, I have not found a solution. I figured it is something that only the Shopify developers can implement this for all stores.

@Winbox 

Firstly, please allow me to kindly correct your statement.
It's not an industry standard, at least not yet.

It's still an internet-draft. In other words, it's currently being taken under consideration whether it should be something to be widely implemented (and subsequently perhaps considered as a good practice/standard in web development) or not.

It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

Reference for the security.txt informational document itemizing its objective plus the above cited paragraph can be found here.

Secondly, security.txt is not useful for an e-commerce platform like Shopify.

In general it is (would be) useful only for websites built from the ground up hosting their own servers and potentially doing bug bounty programs, which is essentially when a website offers a financial compensation for hackers who can find and report security breaches on their websites. As you have shared yourself, you can see that most big companies do make use of it since the vast majority run bug bounties.

Anyhow, when a security flaw is found within the Shopify ecosystem they wouldn't want to report it to one of its clients, and yes to Shopify itself.
This reinforces the lack of necessity of adding a security.txt file to their clients' stores.

Therefore, in conclusion, I don't think you'd need a security.txt in your Shopify website. Plus, answering to your original question, I don't think it's possible either.

If I'm lacking any information or have shared something that is not congruent please do let me know and correct me.

Kind regards,
Diego

I think your missing the point. This site location IS a very well recognised area and is used for all sorts of information and meta data. It is common for this area to be used on a website, as you say, it is more common for this to be used for sites built for the ground up.

However, some third party companies use this area for meta data and other validation checks. For example, Apple Pay requires to store a file in this area. I have found the need to upload a file here in Shopify to allow these types of payments to be used. So your argument is slightly flawed or outdated. I agree in Shopify it wouldn't be considered an important part, as apps wouldn't need this as they work in a different way.

"These “well-known locations”, “/.well-known/”. The directory location /.well-known isn’t a coincidence, it’s the result of a carefully considered RFC. This directory can be used for all kinds of information discovery."

Shopify is very restricted and lacks so many things a developer that works outside of Shopify would need, such as directory management, a typical developer would want to develop a website and manage secure integrations in the back end aswell. 

@PixelDevelopers 

Apple Pay requires to store a file in this area

Interesting, I was not aware of it. Can you please forward me to the official reference where they state this? And why do they need to store a file in this area? What do they store in it? What's the purpose of it? 

I have found the need to upload a file here in Shopify to allow these types of payments to be used.

Which file did you need to upload? Apple pay is built in Shopify by default. What was the purpose of the file(s) that you uploaded or had to upload?

So your argument is slightly flawed or outdated.

Why exactly? My argument is founded upon their latest official publicly available document, which expires on 24 February 2021. Where can I find a most updated and reliable source?

"These “well-known locations”, “/.well-known/”. The directory location /.well-known isn’t a coincidence, it’s the result of a carefully considered RFC. This directory can be used for all kinds of information discovery."

You are quoting a blog post, not an official source.
I can't take that as an ultimate truth.

In addition, this source was last updated in March 2016, and the github  Mattias Geniar mentions in his blog post is deprecated, which means it is outdated and shall not be taken into consideration.

a typical developer would want to develop a website and manage secure integrations in the back end aswell. 

No, I disagree.

Being a billion dollar business Shopify most definitely has got security covered, maintained and constantly updated.

Opening the possibility to customize the back-end would add an unnecessary layer of complexity & high potential security breaches, since developers are humans as well and are prone to mistake. That is beyond the scope of what Shopify offers: an easy to use, "batteries included" online shop to sell your products. Simple as that.

More complex alternatives should be built from scratch or on other platforms that provide greater flexibility.

Kind regards,
Diego