docs: add security policy (#1037)

Author: bepri

SECURITY.md

@@ -0,0 +1,34 @@
+# Security policy
+
+## Release cycle
+
+<!--
+The information under this header may not be strictly accurate for all apps and libraries.
+Review the wording carefully and only copy it if the support offered makes sense. If it
+seems wrong, speak with Canonical Security Engineering about refining a version for
+your application.
+-->
+
+Canonical tracks and responds to vulnerabilities in:
+
+- The most recent patch version of Craft Parts.
+- Any version of Craft Parts that's included in a current release of a Canonical
+  product.
+
+## Reporting a vulnerability
+
+<!---
+Replace the first link in this section with your repository's advisories board. See
+GitHub's documentation for enabling the security advisory tab on a repository:
+https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
+-->
+
+To report a security issue, file a [Private Security Report] with a description of the
+issue, the steps you took to create the issue, affected versions, and, if known,
+mitigations for the issue.
+
+The [Ubuntu Security disclosure and embargo policy] contains more information about
+what you can expect when you contact us and what we expect from you.
+
+[Private Security Report]: https://github.com/canonical/craft-parts/security/advisories/new
+[Ubuntu Security disclosure and embargo policy]: https://ubuntu.com/security/disclosure-policy