dandavison
docs(security): add initial security policy
This PR adds a SECURITY.md file, battle tested in other projects and orgs, (the construct is CC0 ie public domain, for example from here https://raw.githubusercontent.com/itiquette/git-provider-sync/refs/heads/main/SECURITY.md so just reuse)
A SECURITY.md would help anyone assessing the project for use, give a hint of how it handles critical no public security issues, and give anyone a clear instruction on how to report them non public.
IE, for someone thinking about using delta in an organisation or privately it would give an extra trust factor.
This policy basically says "send your findings, and we will see if we handle them, we will notify you".
Besides, being a good FOSS practice, makes the project look more professional and it is heavily supported by GitHub https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file etc as one of the community health files, so it will pop up automatically in the UI for the end user.
Examples:
Security Tab in project front will be added automatically
Security Policy in the top right corner of UI will be added automatically
Security Policy under Security Overview for the project will have the Security Policy green and enabled.
NOTE: there is a <...> in the text, where the preferred channel for reporting should be added I left that for you, (or tell me what to add there, and I'll rebase with that).
NOTE: I had this in multiple orgs and projects over the years. Only once I had a report, so I don't think one should be worry about getting to much reports from this, this is at least my experience.
