securitytxt.org VS shlomi-fish-homepage

You might consider setting up security.txt notifications, per RFC 9116, to funnel people into the right notification paths. Otherwise, they might try spamming random emails they find or can guess at. I've had external researchers contact our CTO and CEO directly, creating a new problem for me.

Check if they have a security.txt, if they do not, check their /security. If both come up empty, use any contact form that they have available.

In addition to the Bug bounty programs already posted in the comments, I'd suggest you create a security.txt with a dedicated security contact.

Does the website have a responsible disclosure page or a security.txt?

there's technically https://securitytxt.org as well; but sadly it's not in super duper wide deployment (some big places have it, though!)

Especially in the area you guys are operating in, I think it would be great if you could implement RFC 9116 (https://securitytxt.org/). If someone finds a vulnerability on your website, the client or even the SPN, this would make communication or a responsible disclosure process much easier. Furthermore, it would be great if the possibility for secure communication with your staff (e.g. using GPG) would be possible.

When do companies finally start adopting the `security.txt` proposal (see https://securitytxt.org).

Would have made a big difference!

Well, Plato considered craziness as divine (but excluded humour for example): https://en.wikipedia.org/wiki/Divine_madness . Later on, navi was mistranslated by the Septuaginte as "prophet", which also influenced later Jewish thought. Anyway, insane people at the time were likely used as sources of guidance and advice (see a WiP essay I wrote about that and "a navi" (נביא) was also a philosopher, educator, and entertainer (like the image macro based on https://www.youtube.com/watch?v=GoZ3bu23BMA jokes about).