Responsible disclosure guidance for http-rs

[jbr]

If someone discovers a security vulnerability in http-rs ecosystem, who do they contact and what is the procedure for resolution? One action might be writing and publishing something along the lines of https://rubyonrails.org/security/ (but without the bounty). Alternatively, it might be as simple as a line in the readme of who to contact on discord

Seems worth addressing this before there's a security concern. We also might want to add a warning in the issue templates not to file security concerns as issues