Create a Security Policy

[kate-goldenring]

As an OpenSSF best practice, projects MUST publish the process for reporting vulnerabilities on the project site. We should create a SECURITY.md file and have an email for reporting

[kate-goldenring]

I am thinking of following a similar reporting strategy we had with Akri: https://github.com/project-akri/akri/blob/main/SECURITY.md.

I'm starting by filing a service desk request to get cncf-spin-security@lists.cncf.io created for us. All emails sent to that will then be forwarded to the maintainers emails (with service desk access)

[kate-goldenring]

In the future, we may want to create a mailing list to announce security vulnerabilities as done by containerd https://github.com/containerd/project/blob/main/SECURITY.md#joining-the-security-announce-mailing-list