Create security policy

SECURITY.md

@@ -0,0 +1,28 @@
+# Security Policy
+
+Thanks for taking the time to engage with the project! We believe in the concept of
+[coordinated disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure) and currently expect a 60
+day grace period for resolution of any outstanding issues.
+
+## Reporting a vulnerability
+
+You can report a security vulnerability in two ways:
+
+- [Report a vulnerability privately using GitHub security advisories][1]
+
+- via email to our core team: [William](mailto:william@blackhats.net.au) and
+  [James](mailto:james+kanidm@terminaloutcomes.com)
+
+If you have found an issue where you're not sure whether it is a "real security
+bug", please report it as a security bug. We can re-triage the issue as a
+regular issue if it turns out to not have security impacts.
+
+We expect all reports to have been verified by a human before submission.
+Properly triaging and investigating all issues (not just security relevant)
+takes up time, and we are a volunteer-driven project.
+
+We will endeavour to respond to your request as soon as possible.
+
+We do not offer bounties, but acknowledgement will be made if you like.
+
+[1]: https://github.com/kanidm/compact-jwt/security/advisories/new