fsfe
docs(security): add initial security policy
This PR adds a SECURITY.md file, battle tested in other projects and orgs, (the construct is CC0 ie public domain, for example from here https://raw.githubusercontent.com/itiquette/git-provider-sync/refs/heads/main/SECURITY.md so just reuse)
A SECURITY.md would help anyone assessing the project for use, give a hint of how it handles critical no public security issues, and give anyone a clear instruction on how to report them non public.
IE, for someone thinking about using reuse-tool in an organization or privately it would give an extra trust factor.
This policy basically says "send your findings, and we will see if we handle them, we will notify you".
Besides, being a good FOSS practice, makes the project look more professional and it is heavily supported by GitHub https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file etc as one of the community health files, so it will pop up automatically in the UI for the end user.
Examples:
Security Tab in project front will be added automatically
Security Policy in the top right corner of UI will be added automatically
Security Policy under Security Overview for the project will have the Security Policy green and enabled.
NOTE: there is a <...> in the text, where the preferred channel for reporting should be added I left that for you, (or tell me what to add there, and I'll rebase with that).
NOTE: I had this in multiple orgs and projects over the years. Only once I had a report, so
- [x] My changes do not contradict the current specification.
- [x] I agree to license my contribution under the licenses indicated in the changed files.
This looks good to me overall. If you wrote it, then you are the author, though, not the FSFE. I will clarify some of the details here and get back to you.
