Add security note to repository

In order to simplify the communication with security researcher and
allow reporting of issues, this document should provide a rough idea
about:

1. What versions are supported
2. Who to contact
3. How to send findings properly secured
4. What to expect from an approved security issue
5. What if it's not considered a security issue

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>

SECURITY.md

@@ -0,0 +1,32 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest release of CodiMD is supported. We don't have the
+ressources to maintain multiple versions.
+
+## Reporting a Vulnerability
+
+If you find a vulnerability for [this repository](https://github.com/codimd/server), please report it to 
+[@SISheogorath](https://github.com/SISheogorath).
+
+Please report your findings OpenPGP encrypted. If you are not aware of
+how to use OpenPGP, please refer to [@SISheogorath's OpenPGP page](https://shivering-isles.com/pgpme),
+which will take care of the encryption for you.
+
+We'll get back to you as soon as possible. You can expect an answer within
+3 days, in rare cases within a month. If you don't get a reply within a month,
+please reach out for other contact addresses in the [community chat](https://riot.im/app/#/room/#codimd:matrix.org).
+
+When your findings are accepted as a security issue, we'll work an a fix or
+at least a workaround for the next release. With the release that contained
+the fix, we want to encurage you to publish your findings as you like.
+
+We'll also credit you in the release notes.
+
+When your findings are not accepted as a security issue, feel free to write
+a fix yourself and contribute it to CodiMD, as well as publish them as you
+like and allow people to make in informed decision about using CodiMD.
+
+If you have any further questions, feel free to reach out to the
+[community chat](https://riot.im/app/#/room/#codimd:matrix.org) or the mentioned contacts above.