This also gives details of how to report a security issue, including the
key point that merge requests are (unfortunately) not confidential.
Heavily based on the flatpak security policy which just landed:
https://github.com/flatpak/flatpak/blob/master/SECURITY.md
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
