Enable security reports

[sudo-bmitch]

Should distribution-spec enable the security reports feature recently launched by GitHub? I'm leaning towards yes, but wanted to get some buy in before clicking the button.

https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

[samuelkarp]

It'd be useful to get the folks who are currently on the security@opencontainers.org list access to any incoming reports here as well. Some of the incoming reports have been cross-cutting and having consistent access has been useful for coordinating the response.

[sudo-bmitch]

@opencontainers/distribution-spec-maintainers I plan to turn this on today, and it can be disabled if we later discover an issue.

[sudo-bmitch]

This has been enabled.