Define a Security Model

[pjfanning]

With more and more independent security researchers and AI generated security scanning of OSS repos, we probably want a SECURITY.md file.
We inherit a Security declaration in GitHub from the Apache Org. It is mainly just a declaration of how to report issues but not what we support.
https://github.com/apache/pekko?tab=security-ov-file#readme

We also have some more specific details on our website.
https://pekko.apache.org/docs/pekko/current/security/index.html

The Apache Pekko tooling in this repo has many varied use cases but in the end of the day, we encouraged Pekko users to

• never accept inputs from untrusted users
• when using Pekko Cluster (and Pekko Remote) that all the nodes are behind a firewall
  • this is still the case even if you enable TLS and mutual authentication between TLS peers

Don't raise any sensitive topics like security issues or internal ASF discussions here. This discussion is just about defining a detailed security model.

I would welcome scans of the Pekko code base but for me, most issues would probably land as bug reports as opposed to being treated as security issues that have CVEs reported for them.

If any security researcher finds this discussion, please read https://pekko.apache.org/docs/pekko/current/security/index.html#reporting-vulnerabilities and the linked documentations.