Add proposed security policy

[reinecke]

Fixes #1790
Fixes #1407

Summarize your change.

Adds a SECURITY.md file with basic documentation of how to report vulnerabilities and out security practices.

DO NOT MERGE UNTIL [email protected] is created

To discuss

I matched OpenEXR's response times for vulnerabilities, does that make sense for us?

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.55%. Comparing base (c0e97b0) to head (e24180f).
Report is 27 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1803      +/-   ##
==========================================
- Coverage   84.11%   81.55%   -2.57%     
==========================================
  Files         198      176      -22     
  Lines       22241    12666    -9575     
  Branches     4687     2782    -1905     
==========================================
- Hits        18709    10330    -8379     
+ Misses       2610     1794     -816     
+ Partials      922      542     -380     

Flag	Coverage Δ
py-unittests	81.55% <ø> (-2.57%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 122 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5dff8be...e24180f. Read the comment docs.

[jmertic]

Test of [email protected] completed - https://lists.aswf.io/g/otio-tsc-private/topic/test/109188441

[reinecke]

@jminor mentions:
We should make sure we as the TAC are clear about who's responsible for responding within the 48 hours and what that response should look like.
Is it just an e-mail?