Create `SECURITY.md`

[jasikpark]

It would be great to have a SECURITY.md like a README.md so it's possible to responsibly disclose bugs in the nebula source code.

I would make a PR, but I'm unsure what more on would entail past recommending emailing [email protected] or [email protected] or something + mentioning the bug bounty program at https://hackerone.com/slack?type=team

Github sets up a nice template if you go to https://github.com/slackhq/nebula/security/policy to create a new policy

[wadey]

We have #481 and #263 we can review as well

[jasikpark]

It seems like #481 is the more descriptive of the two, though it's not up-to-date with the new salesforce bug severity scale..

Is it worth merging one of those and then updating it? Or should it be added in a whole other PR?