docs: add a security policy

[jsoref]

Motivation

At times, people need to be able to reach out to report security issues. Preferably w/o everyone seeing the report.

Suggestion

https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository

[DirtyF]

/cc @jekyll/core

[parkr]

I have created security-at-jekyllrb.com as an email address to submit these reports and contact the team. Let's create a document explaining the procedure. My thought is for the folks with a vulnerability to email that listserv with details of the vulnerability, steps to reproduce, and a GitHub handle. We could then spin up an issue in a new repo to discuss the vulnerability, patches, CVE assignment, etc.

[jekyllbot]

This issue has been automatically marked as stale because it has not been commented on for at least two months.

The resources of the Jekyll team are limited, and so we are asking for your help.

If this is a bug and you can still reproduce this error on the latest 3.x-stable or master branch, please reply with all of the information you have about it in order to keep the issue open.

If this is a feature request, please consider building it first as a plugin. Jekyll 3 introduced hooks which provide convenient access points throughout the Jekyll build pipeline whereby most needs can be fulfilled. If this is something that cannot be built as a plugin, then please provide more information about why in order to keep this issue open.

This issue will automatically be closed in two months if no further activity occurs. Thank you for all your contributions.

[jsoref]

This is still important

[parkr]

Agreed. I started writing this here: #8823

[parkr]

https://github.com/jekyll/jekyll/blob/master/.github/SECURITY.markdown
https://jekyllrb.com/docs/security/