Add security policy

SECURITY.md

@@ -0,0 +1,51 @@
+Security Policy
+===============
+
+Security has a high priority or this project. If you discover a security issue,
+please report it right away!
+
+Reporting a Vulnerability
+-------------------------
+
+If you believe you have found a security vulnerability in this project, please
+report it privately. **Do not** file a public issue and do not otherwise
+disclose the vulnerability before it has been fixed.
+
+You can [https://github.com/s-hamann/desec-dns/security/advisories/new](report a vulnerability)
+on GitHub.
+
+Alternatively, you may send an email to `[email protected]`. If
+possible, please use PGP
+([key](https://keys.openpgp.org/vks/v1/by-fingerprint/87A5C2AC1452043F1A105C4C91C8E2A38D0CDD15))
+to encrypt the email and provide your own public PGP key for encrypted
+communication.
+
+Please include all information that seems relevant in your initial report,
+typically including
+* a description of the issue,
+* steps to reproduce it, including any special setup requirements,
+* if possible, proof-of-concept (PoC) code and
+* the impact of the vulnerability.
+
+If you identified the vulnerable code section or have a suggestion on how to
+fix it, please include that information as well. Preferably use GitHub's
+temporary private fork if you want to submit a fix yourself.
+
+Response Time
+-------------
+
+You should receive a response within a few days. If for some reason you do
+not, please follow up with an email.
+
+We aim to resolve any security issues as quick as possible. However, depending
+of the complexity and available free time, it may take several days.
+
+Disclosure Policy
+-----------------
+
+Please follow Responsible Disclosure/Coordinated Vulnerability Disclosure
+principles and do not publicly disclose any vulnerabilities before a fix has
+been released (or after 90 days, in the unexpected case that no fix gets
+released).
+
+Thank you for your help keeping this project secure!