docs: add security documentation

Author: dbartholomae

SECURITY.md

@@ -0,0 +1,17 @@
+# Security policy
+
+If you find a security vulnerability, do NOT open an issue. Email
+[[email protected]](mailto:[email protected]&subject=Security%20vulnerability%20in%20repo)
+instead. This reduces the risk of criminals getting aware and exploiting the
+vulnerability before we got a chance to fix it.
+
+In order to determine whether you are dealing with a security issue, ask yourself these two questions:
+* Can I access something that's not mine, or something I shouldn't have access to?
+* Can I disable something for other people?
+
+If the answer to either of those two questions are "yes", then you're probably dealing with a security issue.
+Note that even if you answer "no" to both questions, you may still be dealing with a security issue, so if you're
+unsure, just email us at [[email protected]](mailto:[email protected]&subject=Security%20vulnerability%20in%20repo).
+
+If the bug is not security related, please use the corresponding issue template
+to submit it on GitHub.