docs: add security policy

[ajbozarth]

Misc PR

Type of PR

• Bug Fix
• New Feature
• Documentation
• Other

Description

• Link to Issue: Fixes sugg: Add SECURITY.md / policy #340

Implements a SECURITY.md policy. This policy was taken from other IBM open source projects such as beeai-framework and qiskit-serverless and is a simple version of the standard GitHub policy.

Testing

• Tests added to the respective file if code was changed
• New code has 100% coverage if code as added
• Ensure existing tests and github automation passes (a maintainer will kick off the github automation when the rest of the PR is populated)

[github-actions]

The PR description has been updated. Please fill out the template for your PR to be reviewed.

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?:

[ajbozarth]

looking at the security tab we may also need to enable reporting once this is merged as I see no report button at the location linked in this new doc (like I see at https://github.com/Qiskit/qiskit-serverless/security)

[planetf1]

@ajbozarth Agreed - the text looks good to me, but one of the admins will need to enable private vuln. reporting as per https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/configuring-private-vulnerability-reporting-for-a-repository

[ajbozarth]

Status Update: This needs to following before merge:

• PR approval (preferably from @nrfulton)
• A repo admin enabling private vulnerability reporting (I can't do this as I only have write access not admin)

[psschwei]

LGTM