Add SECURITY.md to document security policy (Qiskit#9589)

This commit adds a SECURITY.md file to the repository to document the
security policy for the project. We recently enabled the private security
advisories feature on the repository (which is a relatively new "beta"
feature in github). Since we now have a place to privately raise potential
security issues it is good to have a documented policy on how security
vulnerabilities should be reported and our support policy for
the versions we will fix (which is just the latest release series). Over time
we can adjust this policy as needed.

Co-authored-by: Eric Arellano <[email protected]>
Co-authored-by: Matthew Treinish <[email protected]>

Author: 3 people

SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+Qiskit (and `qiskit-terra`) supports one minor version release at a time, both for bug and
+security fixes. For example, if the most recent release is 0.12.1, then the 0.12.x
+release series is currently supported.
+
+## Reporting a Vulnerability
+
+To report vulnerabilities, you can privately report a potential security issue
+via the Github security vulnerabilities feature. This can be done here:
+
+https://github.com/Qiskit/qiskit-terra/security/advisories
+
+Please do **not** open a public issue about a potential security vulnerability.
+
+You can find more details on the security vulnerability feature in the Github
+documentation here:
+
+https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability