[SIG Services][Guideline] Security manual and liability and sec. policies

[tumido]

Can be part of support guidelines.

Something like SLA specific to security.

Define SECURITY.md as per https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository

Have a secured path how users can report found vulnerability.

General recommendation: Leverage security scanning and CVE monitors, keep deps up to date.

Have a prioritization in place for issues.

Have an SOP how to handle it.

Security issues are triaged promptly.

Liability: scope of what is "security matter" of a service and what is user's own responsibility.

"Service provider is not user's babysitter." but in better words.

[sesheta]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale