Document a policy for virus scanner false positive results on Kubernetes release artifacts

We occasionally get reports of malicious code detected in Kubernetes release artifacts that are ultimately due to virus-scanner false positives. It could be nice to have a policy for responding to these, to reduce the effort required.