Add security policy

[pnacht]

Fixes: #26205

Description

Anyone who's found a vulnerability in three.js (i.e. denial-of-service) has no clear way of privately reporting it. This PR adds a security policy that tells users how to report vulnerabilities responsibly.

The current version of the policy suggests users either send an email (to an address found in the Code of Conduct) or use GitHub's private reporting tool. If you'd rather choose just one, change the email (if you'd rather use another with a smaller or different subset of maintainers) or anything else, let me know and I'll patch the PR!

This contribution is funded by Google.

[LeviPesin]

Could you please explain what could be a security vulnerability in Three.js? What attack scenario could use it?

[pnacht]

I mentioned DoS attacks above, but given three.js is client-side, the more reasonable attack would likely be something that causes three.js to hang and consume all memory when given what should be acceptable inputs, crashing the entire site for the user.

Another threat would be a malicious import to run a crypto miner every time three.js loads.

[donmccurdy]

I agree that a security policy is a fair thing to ask. Another example could be discovering a vulnerability in one of our model loaders, allowing maliciously-crafted 3D models to execute code on a website that allows user-generated model uploads. The risk is dramatically worse if the user is logged in to that website, because the executable code runs within the user's authenticated session, and could make network requests.

Whether we are comfortable handling security disclosures as documented in the PR, I will leave others to decide.

Related discussion on Stack Overflow: https://stackoverflow.com/a/76415718/1314762.