Document security policy (#92)

Author: jeddy3

.github/SECURITY.md

@@ -1,5 +1,25 @@
-# Reporting security issues
+# Security
 
-Please use the "Report a security vulnerability" option under the "New issue" menu to privately report a vulnerability.
+## Supported versions
 
-Thank you for making Stylelint safe for everyone!
+We only provide security updates for the latest major version of our packages. We recommend using the latest versions.
+
+## Best practices
+
+We update our dependencies on a cool-down, provide immutable releases on GitHub and use trusted publishing for npm to improve supply chain security.
+
+We use CodeQL to discover vulnerabilities as part of our continuous integration process.
+
+## Report a vulnerability
+
+You should use the "Report a vulnerability" feature under the "Security" tab of the appropriate repository.
+
+You can expect an acknowledgement of your report within 3–5 business days.
+
+We follow a policy of responsible disclosure. We ask that you give us a reasonable amount of time to remediate the issue before any public information is shared.
+
+### Advisories
+
+We'll only issue security advisories when a non-local actor can exploit a confirmed vulnerability.
+
+Our packages are typically local development dependencies with no security issues linked to regular expression performance or similar that could affect public servers.