docs: add security policy

[JacobCoffee]

What

• Sources a security policy so that users (hopefully) do not create issues on this repo

Why

• There isn't one
• Clear communication for users to see how to report potential security issues

See Also

https://github.com/python/pythondotorg/pull/2417

[hugovk]

This PR will add links for all repos under https://github.com/python to the security policy:

• https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file#supported-file-types
• https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository

The policy at https://www.python.org/dev/security/ says it only covers official CPython and pip.

It doesn't mention other projects under https://github.com/python, such as mypy, blurb, pyperformance and tzdata: https://github.com/orgs/python/repositories?type=all

I think it's reasonable to include those, but let's ask the PSRT first.

[hugovk]

Yes, it would show up on all repos under https://github.com/python.

I've asked the PSRT to confirm they're fine with it, and a couple of mypy maintainers said they'd be happy to receive reports via the PSRT. (Mypy being the most likely to receive security reports.)

[JacobCoffee]

Any news @hugovk ?

[hugovk]

It was generally positive but nothing definitive so I've asked again.

[JacobCoffee]

Do I need to merge this? I don't mind, just don't want to step on anyones toes.

[hugovk]

Go for it!