Define an org-wide security policy

[travi]

We should get a policy defined for the org and can define it in one place in this repo. We've needed one for a while anyway, but semantic-release/semantic-release#2449 revealing a vulnerability publicly rather than doing coordinated disclosure by starting the conversation privately highlights further that outlining a policy could be a helpful reminder for users that are looking to contact us.

The complication involved in defining a policy is that there is no way built into GitHub for initiating the private conversation, leaving email as the best option for initial contact. In order to avoid revealing the personal email addresses of our maintainers in a public file, it would be better if we could set up a security address that could be routed to maintainers through the semantic-release.org domain.

If we're ok with moving the domain to Cloudflare, I recommend that we use their email routing service:

• https://blog.cloudflare.com/introducing-email-routing/
• https://developers.cloudflare.com/email-routing/

[travi]

I've created a Cloudflare org/account and can invite maintainers to that org, but would need info about an existing personal Cloudflare account to do so.

The domain transfer is quick and painless. I've moved several to Cloudflare and have been happy with managing domains there.

[travi]

this is covered by https://github.com/semantic-release/.github/blob/main/.github/SECURITY.md at this point