add a SECURITY.md file?

[devoncarew]

If we add a SECURITY.md file here, I believe that all the dart-lang/ repos - that don't have their own security files - will inherit this one.

See the recent github blog about this here:
https://github.blog/2022-02-09-coordinated-vulnerability-disclosure-cvd-open-source-projects/

And, the SECURITY.md file we use for the dart-lang/sdk repo: https://github.com/dart-lang/sdk/blob/main/SECURITY.md.

cc @athomas @mit-mit @kevmoo

[athomas]

One thing we're missing is to decide on a place to publish advisories for these repos. For the SDK, we use GitHub.

[athomas]

For dart-lang, my recommendation would be to use per-repo GitHub advisories across the board (until something better comes along).

[athomas]

Perhaps something like this (the relative link should work when the SECURITY.md is displayed):

## Reporting vulnerabilities
To report potential vulnerabilities, please see our security policy on
[https://dart.dev/security](https://dart.dev/security).

## Published security advisories

For advisories published for in this repository, see
[security advisories](../../security/advisories?state=published).

I'm a bit unsure if the relative link will work well for both https://github.com/dart-lang/sdk/security/policy and https://github.com/dart-lang/sdk/blob/main/SECURITY.md, though. There also doesn't seem to be a page we can link to that lists all security advisories for dart-lang.

[mit-mit]

I think we should have a deeper discussion of where advisories should be published before we go ahead with this.

[godofredoc]

We may want to consider writing a generic SECURITY.md file that applies to all the projects in dart-lang. This way it can be added to https://github.com/dart-lang/.github/ and it will be automatically applied to all the projects.