Add a security policy

[pnacht]

Description

If someone's found a potential security vulnerability (i.e. denial-of-service attack) in three.js, they should be able to report it privately, so that a new release with a fix can be released before the vulnerability is exploited in the wild.

Solution

three.js should have a security policy (SECURITY.md) letting anyone with a suspected vulnerability get in touch and work with maintainers out of the public eye. GitHub recommends having such a policy.

The security policy can be found by users who enter the project's "Security" panel. A new issue "type" will also be added to the "New issue" window pointing users to the policy if they've found a vulnerability.

There are two main ways to receive disclosures:

• register an email or website available to receive such reports; and/or
• use GitHub's private vulnerability reporting

If you want to use GitHub's reporting system, it must be activated for the repository:

1. Open the repo's settings
2. Click on Code security & analysis
3. Click "Enable" for "Private vulnerability reporting"

I'll send a PR with a draft policy along with this issue.

Alternatives

Instead of a separate file, having the relevant information in the project's README would also suffice, but then it won't appear in the Security panel or in the "New issue" type selection window.

Additional context

Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.