added security policy document

This is adapted from firecracker's security policy document.

Signed-off-by: Andreea Florescu <[email protected]>

SECURITY-POLICY.md

@@ -0,0 +1,22 @@
+# Security Issue Policy
+
+If you uncover a security issue with micro-http, please write to us on
+<[email protected]>.
+
+Once the Firecracker [maintainers](MAINTAINERS.md) become aware (or are made
+aware) of a security issue, they will immediately assess it. Based on impact
+and complexity, they will determine an embargo period (if externally reported,
+the period will be agreed upon with the external party).
+
+During the embargo period, maintainers will prioritize developing a fix over
+other activities. Within this period, maintainers may also notify a limited
+number of trusted parties via a pre-disclosure list, providing them with
+technical information, a risk assessment, and early access to a fix.
+
+The external customers are included in this group based on the scale of their
+micro-http usage in production. The pre-disclosure list may also contain
+significant external security contributors that can join the effort to fix the
+issue during the embargo period.
+
+At the end of the embargo period, maintainers will publicly release information
+about the security issue together with the micro-http patches that mitigate it.