Establish SECURITY.md

[Perseus985]

OpenSSF Scorecard finding: Security Policy

Create .github/SECURITY.md or SECURITY.md at repo root.

Minimum content: supported versions table and a private vulnerability disclosure contact (e.g. email or GitHub private vulnerability reporting).

[BergCyrill]

The security policy is something we need to discuss again on our weekly call. The last time there was not enough feedback to get a consistent security policy out of it - we may want to make the first step here.