Add a Security Policy

[postmodern]

Add a SECURITY.md file explaining how to report vulnerabilities in bundler-audit.

• Which email address should they be sent to? (rubysec's mailing list or my email addres?)
• Which PGP key, if any, should be used to encrypt emails? (I can volunteer my PGP pubkey)

/cc @reedloden

[reedloden]

I'm a bit biased here due to it being my employer (and the fact that I manage this particular offering), but HackerOne offers a completely free version for open source projects. Might I suggest that as an alternative to email and PGP? Ruby, Rails, and RubyGems all use it already, just as examples.

[kallal79]

HI @postmodern , I’d like to work on this issue, please assign it to me.