* Create SECURITY.md We've not actually stated a formal policy, and in leu of email this should suffice. * Add note about what we consider vulnerabilties
