Define and publish security disclosure policies

[displague]

Expected Behaviour

Tinkerbell users and security researchers that discover potential vulnerabilities in Tinkerbell should have a well-defined communication protocol with Tinkerbell maintainers with defined security roles.

Current Behaviour

Users and researchers submit issues in the public (slack, github, google groups) or in DMs on various platforms (Slack, email, Twitter).

Users and researchers looking for a defined approach can not find one.

Possible Solution

Users and researchers should:

• find tinkerbell.org security disclosure guidance
• find GH Issue templates instructing users to report responsibly through the correct channels

Tinkerbell maintainers should:

• form a security group with select trusted members from multiple organizations. this group should:
  • have a communication channel and cadence for discussion, with the ability to make prompt decisions as needed
  • work with and with-in the CNCF security teams and guidelines

Steps to Reproduce (for bugs)

1. Discover a potential security vulnerability
2. Report it

Context

As the Tinkerbell community matures and the software expands into new areas, inheriting new dependencies, we are bound to run into these concerns with greater frequency and severity.

[displague]

Related issue: tinkerbell/org#14

[mmlb]

We can move tinkerbell/org#14 over to here instead of this symlink, want to do that?

[displague]

closing in favor of https://github.com/tinkerbell/org/issues/14 (transferred from tink)