Vulnerability report process

[ludwiglierhammer]

It is recommended to create a security policy that includes a mail address to contact if one have found a security vulnerability in order to follow best practices for Free/Libre and Open Source Software (FLOSS) projects.

As an example you can have a look on xclim's security policy.

@aanderss, @rcornes Do we have a mail address to contact in this case?

[rcornes]

As project lead this should be a DWD address