docs: add security policy

[JacobCoffee]

What

• Sources a security policy so that users (hopefully) do not create issues on this repo

Why

• There isn't one
• Clear communication for users to see how to report potential security issues

See Also

python/pythondotorg#2417

[hugovk]

This PR will add links for all repos under https://github.com/python to the security policy:

• https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file#supported-file-types
• https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository

The policy at https://www.python.org/dev/security/ says it only covers official CPython and pip.

It doesn't mention other projects under https://github.com/python, such as mypy, blurb, pyperformance and tzdata: https://github.com/orgs/python/repositories?type=all

I think it's reasonable to include those, but let's ask the PSRT first.

[JelleZijlstra]

Do we really need to obfuscate this?

[JacobCoffee]

@hugovk thoughts (ref: python/pythondotorg#2417 (comment))

[hugovk]

I personally don't mind, my suggestion was to copy https://www.python.org/dev/security/, there must have been a reason to do it there 🤷

[sobolevn]

@JacobCoffee welcome, nice to see you here 👋

Applying this to the whole org will also impact projects like mypy / typeshed / typing_extensions / multiple others.

Is it correct? Do we expect all security notices about these project to be reported the same way?

[hugovk]

Yes, it would show up on all repos under https://github.com/python.

I've asked the PSRT to confirm they're fine with it, and a couple of mypy maintainers said they'd be happy to receive reports via the PSRT. (Mypy being the most likely to receive security reports.)