[security] Set security policy

[gabibguti]

Adding a Security Policy is important to provide guidance on how users can report potential vulnerabilities and also raise awareness of when vulnerabilities will be confirmed, fixed and disclosed.

I recently recommended #261 and, like that change, this one also related to security and recommended by Github and Scorecard.

If you agree, I can open a PR to suggest a Security Policy. We can then work together to communicate how the repo can best handle vulnerability reports.

Additional Context

Hi again! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

[tkem]

@gabibguti: PR would be welcome!