docs: how to report security vulnerabilities

SECURITY.md

@@ -0,0 +1,29 @@
+# Security (Top level page)
+
+## Vulnerability reporting (security issues)
+
+We gratefully welcome vulnerability reports!
+
+If you find a significant vulnerability, or evidence of one,
+please send an email to the security contacts that you have such
+information, and we'll tell you the next steps.
+
+For now, the security contacts are listed in the AUTHORS file at the root of
+this project's repository.
+
+Please use an email system (like Gmail) that supports
+hop-to-hop encryption using STARTTLS when reporting vulnerabilities.
+Examples of such systems include Gmail, Outlook.com, and runbox.com.
+See [STARTTLS Everywhere](https://starttls-everywhere.org/)
+if you wish to learn more about efforts to encourage the use of STARTTLS.
+Your email client should use encryption to communicate with
+your email system (i.e., if you use a web-based email client then use HTTPS,
+and if you use email client software then configure it to use encryption).
+Hop-to-hop encryption isn't as strong as end-to-end encryption,
+but we've decided that it's strong enough for this purpose
+and it's much easier to get everyone to use it.
+
+We will gladly give credit to anyone who reports a vulnerability
+so that we can fix it.
+If you want to remain anonymous or pseudonymous instead,
+please let us know that; we will gladly respect your wishes.