Enable private reporting of vulnerabilities or document how to report vulnerabilities

[maxammann]

I wanted to report a security issue, but failed to find a contact. @dvdplm did not respond to an email I sent. I am aware that this repository is no longer maintained, but first wanted to confirm that posting the issue as GitHub issue is fine.

There are at least two possibilities:

• Enable GitHub private reporting
• Create a security policy (SECURITY.md) which documents how and who to contact.

If there is no response to this issue until 21. of August 2023, a GitHub issue about the vulnerability will be created.

[vkgnosis]

I have been the de facto maintainer for the last 1.5 years.

Post the vulnerability in a public issue. There is no one responsible enough for this project to act on private reports in a timely manner. Better to let everyone know about it. I'm going to make a change to the Readme to make the maintenance status clearer.