Merge bitcoindevkit#2171: Add SECURITY.md

122207f feat(doc): add `SECURITY.md` (Luis Schwab)

Pull request description:

  Closes bitcoindevkit#2168

  ## Changelog
  ```
  - Add `SECURITY.md` listing the PGP key to be used for vulnerability disclosures
  ```

ACKs for top commit:
  oleonardolima:
    ACK 122207f
  notmandatory:
    ACK 122207f

Tree-SHA512: 22e5d05ee4497a1c4e40e1aedb25739c8e2ab954e876f4305175697ee366b17d18d44aeb22ef81558e0515cc056bd828358116c6af0567f9ca17d4183b21bf3c

Author: oleonardolima

CONTRIBUTING.md

@@ -98,16 +98,9 @@ All new features require testing. Tests should be unique and self-describing. If
 Security
 --------
 
-Security is a high priority of BDK; disclosure of security vulnerabilities helps
-prevent user loss of funds.
+Given the critical nature of BDK as a wallet library, we take security very seriously.
 
-Note that BDK is currently considered "pre-production" during this time, there
-is no special handling of security issues. Please simply open an issue on
-Github.
-
-BDK requires all commits to be signed using PGP. Refer to
-[this guide](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
-if you don't have a PGP key set up with `git` yet.
+For information on how to report security vulnerabilities, please refer to the [Security Policy](SECURITY.md).
 
 Testing
 -------

SECURITY.md

@@ -0,0 +1,16 @@
+# Security Policy
+
+To report security issues send an email to `security AT bitcoindevkit DOT org` (not for support).
+
+The following key may be used to communicate sensitive information to developers:
+
+| Name | Fingerprint |
+| ---- | ----------- |
+| `security@bitcoindevkit.org` | `7416 BB25 5E60 E40D 482E 591B 7201 8930 A1FB 3444` |
+
+You can import the key by running the following command:
+```
+gpg --recv-keys 7416BB255E60E40D482E591B72018930A1FB3444 --keyserver hkps://keys.openpgp.org
+```
+
+You can also download it from [our website](https://bitcoindevkit.org/foundation/pgp/#security-disclosures).