RFC: Address concerns with supply chain risks from Docq

[cwang]

Is your change proposal related to a problem? Please describe.

As a self-hosted OSS, Docq is well-positioned to answer most supply chain risk questions from businesses adopting it. This is more to do with our own internal process to prevent any risk from our software supply chain, propagating downstream to Docq's customers.

Propose the solution you'd like

GitHub is in a great position to help us in OSS capacity such as all the security tools they offer. We should be clear about our additional policies and processes.

Describe alternatives you've considered

N/A

Additional context

Some accreditations such as SOC2 or ISO27001 may move into view at some point.