Set up a security policy for future vulnerability reporting

[pllim]

Perhaps https://github.com/ejeschke/ginga/issues/1119 could have gone through a more private route of security reporting. This can be accomplished by setting up a GitHub security policy. Private reporting is important if the risk/impact is high and you do not want to advertise it before publishing a patch.

https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository