Document the process of reporting security issues

[antirais]

Document the preferred process to report and resolve security vulnerabilities. My proposal is to use specific email address for initial communications (e.g. [email protected]) so that core developers and security researches can share vulnerability details over a secure and private channel. General steps to do that should contain:

• describe the process in CONTRIBUTING.md. For example, see https://bounty.github.com/
• publish PGP public key and require encrypted emails from security researches
• possibly add "Hall of Fame" style "thank you" page for contributors
• create a single page or document any security related release clearly on project home page. This is to help end-users to have a clear understanding, when a new release contains security related fixes and not just any functionality or cosmetic changes.

[antirais]

Issue still open?!

At least some of the proposals are resolved:

• describe the process in CONTRIBUTING.md. For example, see https://bounty.github.com/
• publish PGP public key and require encrypted emails from security researches
• possibly add "Hall of Fame" style "thank you" page for contributors
• create a single page or document any security related release clearly on project home page. This is to help end-users to have a clear understanding, when a new release contains security related fixes and not just any functionality or cosmetic changes.

There are at least some issues described in this repo's security advisory page. Gitlab supports this as of 2019-05 and now it is better to document security related info in SECURITY.md file.