Add Security Policy

[JoelSpeed]

Description

This adds a security policy for the project to ensure the community understand how to report security vulnerabilities and how we will respond to them.

I have added this to the current and previous versioned docs.

Motivation and Context

We should have had one of these for a long time!

Fixes #31

How Has This Been Tested?

cd docs
yarn start

Checklist:

• My change requires a change to the documentation or CHANGELOG.
• I have updated the documentation/CHANGELOG accordingly.
• I have created a feature (non-master) branch for my PR.

[NickMeves]

Will this always be a patch release?

At some points master has so many PRs merged, it might be included in a minor or major release if those are the next around the corner unless we backport, right?

[JoelSpeed]

Erm, yeah, probably not, I'll drop the word patch in this sentence

[NickMeves]

Worth mentioning not to open a PR with a proposed fix either?

[JoelSpeed]

Yeah good point, I'll update

[NickMeves]

Sometimes they are minor security nice to haves and we decide to use traditional public PRs to collaborate and merge the change.

Do we want to document that decision process of public vs security advisory PR?

[JoelSpeed]

I'm not sure that's worth documenting other than, if the issue is minor, we may instead use the standard PR flow, WDYT? What kind of thoughts were you thinking of documenting?

[NickMeves]

LGTM!