Decide security (issue) report handling team and procedure

[baentsch]

Currently only two OQS sub projects have publicly documented SECURITY.md handling procedures defined. The set of people receiving "privately" reported security vulnerabilities in those is pretty large (>10) as per https://github.com/open-quantum-safe/oqs-provider/issues/451#issuecomment-2259035295.

This issue is to codify and reduce this number to people explicitly agreeing and able to handle security incidents (e.g., a Vulnerability Management Team) and to decide whether other OQS sub projects should be subject to this procedure as well.

[baentsch]

This to also document the verbal agreement by @hartm and @dstebila in facilitating a "dry-run" security incident handling exercise with the team designated by way of resolving this issue. One goal of this is to get input regarding responsibilities of a maintainers and contributors in this regard.

[TheFoxAtWork]

In case this group finds these resources useful for that discussion, the incident response file may be particularly helpful. https://github.com/cncf/tag-security/tree/main/community/resources/project-resources#security-resources-for-projects

A special thank you to Google's OSS vulnerability guide folks for making the Security TAG aware of this collection of resources upon which much of this content was built on.

[SECURITY.md](https://github.com/cncf/tag-security/blob/main/community/resources/project-resources/templates/SECURITY.md)
    draft security file that outlines subscribing to security bulletins, how to report issues, and supported versions.
[SECURITY_CONTACTS.md](https://github.com/cncf/tag-security/blob/main/community/resources/project-resources/templates/SECURITY_CONTACTS.md)
    a draft security contacts file to allow potential issue submitters to know who they can expect to hear from or how to follow up on issues.
[ISSUE_TEMPLATE.md](https://github.com/cncf/tag-security/blob/main/community/resources/project-resources/templates/ISSUE_TEMPLATE.md)
    a draft issue template to remind issue submitters that potential vulnerabilities do not get submitted as issues.
[incident-response.md](https://github.com/cncf/tag-security/blob/main/community/resources/project-resources/templates/incident-response.md)
    a draft, detailed incident response plan that covers how to triage issues, confirm vulnerabilities, leverage security advisories, and push a patch/release.
[embargo-policy.md](https://github.com/cncf/tag-security/blob/main/community/resources/project-resources/templates/embargo-policy.md)
    a draft embargo policy that outlines the time frame and conditions surrounding disclosures.
[embargo.md](https://github.com/cncf/tag-security/blob/main/community/resources/project-resources/templates/embargo.md)
    a draft embargo notification that details the contents a notification should contain.

Disclaimer: These resources are designed to be helpful to projects and organizations, they require customization and configuration by the project intending to use them. It does not prevent security issues from being found on a project, will not automatically resolve them, and does not place CNCF Security TAG as the responsible party. If changes are made to these templates, projects are not required to pull in a new update.

[dstebila]

Thanks @TheFoxAtWork for the helpful resources!