Create SECURITY.md

Adapted from neqo. What should the Bugzilla component for this be?

Author: larseggert

SECURITY.md

@@ -0,0 +1,14 @@
+# Security Policy
+
+This document describes how security vulnerabilities in this project should be reported.
+
+## Reporting a Vulnerability
+
+To report a security problem with neqo, create a bug in Mozilla's Bugzilla instance in the [Core :: Networking](https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Networking) component.
+
+**IMPORTANT: For security issues, please make sure that you check the box labelled "Many users could be harmed by this security problem".**
+We advise that you check this option for anything that involves anything security-relevant, including memory safety, crashes, race conditions, and handling of confidential information.
+
+Review Mozilla's [guides on bug reporting](https://bugzilla.mozilla.org/page.cgi?id=bug-writing.html) before you open a bug.
+
+Mozilla operates a [bug bounty program](https://www.mozilla.org/en-US/security/bug-bounty/), for which this project is eligible.