[RFE] Add instruction for reporting security issues to README.md and via GitHub security policy

[invidian]

Current situation

README.md currently only mentions that problems should be reported via issues. It would be good to better align with https://kinvolk.io/flatcar-container-linux/security/ and mention channels for reporting security issues.

Impact

Security issues might get accidentally disclosed because of lack of clear secure communication channels for reporting security issues.

Ideal future situation

It is clearly documented where to report possible security issues.

**Implementation options

• add section with security email to README.md
• add GitHub security policy