Create a security policy.

[wmaroneAMD]

This policy is derived from the Caliptra PSIRT policy found here:

https://github.com/chipsalliance/Caliptra/blob/main/SECURITY.md

Next is to tune this to fit OpenPRoT specifics.

[wmaroneAMD]

Open questions:

• Will Github's mechanisms suffice for us, or do we need to employ ChipsAlliance's infrastructure (mailing list, etc.)
• Set up our own CNA? I don't think our scope is big enough quite yet.

[FerralCoder]

Open questions:

• Will Github's mechanisms suffice for us, or do we need to employ ChipsAlliance's infrastructure (mailing list, etc.)
• Set up our own CNA? I don't think our scope is big enough quite yet.

Given my experience with Caliptra, I feel that the overhead of setting up our own CNA is a step too far.

As for the question on mailing lists, etc... I am torn on that.

• On the one hand, using a mailing list for submitting issues is common practice, while the GitHub Private Vulnerability Reporting mechanism is relatively new. Also, I am not sure how we would notify potentially affected parties during the embargo period without some sort of outbound list.
• On the other hand, an inbound mailing list requires constant monitoring in addition to everything controlled through GitHub. Using the built-in mechanism means that everything is in one place and simpler to manage.

Opinions?