Add Security Policy file for reporting potential vulnerabilities #199
Description
Hello,
could you please add a security policy file (SECURITY.md) to your repository to describe how to report potential vulnerabilities in a safe and private way? This way you can first evaluate the report and then decide if it is indeed a vulnerability and how to handle it.
Handling such reports in public GitHub issues could be problematic if it turns out the reported issue is indeed a vulnerability, because at that point other (potentially malicious) users might have already noticed it and could try to exploit it before a fix is available.
Related to this, could you please enable private vulnerability reporting for your repository? That way these reports can directly be created on GitHub (and you don't need for example to handle these reports by mail), it supports using a private fork for fixing the issue, and the advisory can be published and a CVE can be requested if desired.
I am asking this because I would like to report a specific potential vulnerability. But setting up a security policy and private vulnerability reporting will likely benefit this repository in general in case other users find other potential issues.