Add proposed security policy

[reinecke]

Fixes #1790
Fixes #1407

Summarize your change.

Adds a SECURITY.md file with basic documentation of how to report vulnerabilities and out security practices.

DO NOT MERGE UNTIL security@opentimeline.io is created

To discuss

I matched OpenEXR's response times for vulnerabilities, does that make sense for us?

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.15%. Comparing base (9aed6f0) to head (4db0643).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1803   +/-   ##
=======================================
  Coverage   85.15%   85.15%           
=======================================
  Files         181      181           
  Lines       12783    12783           
  Branches     1206     1206           
=======================================
  Hits        10885    10885           
  Misses       1715     1715           
  Partials      183      183           

Flag	Coverage Δ
py-unittests	85.15% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9aed6f0...4db0643. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jmertic]

Test of security@opentimeline.io completed - https://lists.aswf.io/g/otio-tsc-private/topic/test/109188441

[reinecke]

@jminor mentions:
We should make sure we as the TAC are clear about who's responsible for responding within the 48 hours and what that response should look like.
Is it just an e-mail?

[reinecke]

I've set up notifications for emails to the list - when we receive notices we will acknowledge the sender and then proceed based on the nature of the vulnerability and level of effort to fix.
Ideally, we respond with a quick-turnaround PR - if it's something that will take longer we can structure an appropriate response making sure we notify the community about the nature of the vulnerability and the roadmap we have to address it.