Add a security policy for reporting issues

[belcherj]

Set up a security policy.

Help the community understand how to securely report security vulnerabilities for calypso.

https://github.com/Automattic/wp-calypso/security/policy

[stale]

This issue has been marked as stale and will be closed in seven days. This happened because:

• It has been inactive in the past 9 months.
• It isn't a project or a milestone, and hasn’t been labeled `[Pri] Blocker`, `[Pri] High`, `[Status] Keep Open`, or `OSS Citizen`.

You can keep the issue open by adding a comment. If you do, please provide additional context and explain why you’d like it to remain open. You can also close the issue yourself — if you do, please add a brief explanation.

[griffbrad]

This seems worth addressing. We already have some basic info in the main README.

[stale]

This issue has been marked as stale and will be closed in seven days. This happened because:

• It has been inactive in the past 9 months.
• It isn't a project or a milestone, and hasn’t been labeled `[Pri] Blocker`, `[Pri] High`, `[Status] Keep Open`, or `OSS Citizen`.

You can keep the issue open by adding a comment. If you do, please provide additional context and explain why you’d like it to remain open. You can also close the issue yourself — if you do, please add a brief explanation.

[sarayourfriend]

Shall we just copy what's in the README?

https://github.com/automattic/wp-calypso/blob/6037b345736168b583ea0c7a4fd06729338841c0/README.md#L35

[griffbrad]

Yes. Also worth glancing at Jetpack’s policy:
https://github.com/Automattic/jetpack/blob/master/SECURITY.md