Add new security policy

Author: CAM-Gerlach

SECURITY.md

@@ -0,0 +1,26 @@
+# Security Policy
+
+
+## Supported Versions
+
+Spyder-Kernels normally supports the version supporting the latest versions of Spyder with bug fixes, security updates and compatibility improvements.
+Additionally, the previous feature (major or minor) release will be supported for critical security and bug fixes only for two months following the release of a new Spyder feature version.
+
+The following summarizes the support status of recent Spyder-Kernels versions.
+
+| Version  | Supported          |
+| -------- | ------------------ |
+| 3.0.x    | :heavy_check_mark: |
+| <3       | :x:                |
+
+
+
+## Reporting a Vulnerability
+
+If you believe you've discovered a security vulnerability in Spyder-Kernels, please use open a new security advisory with [our GitHub repo's private vulnerability reporting](https://github.com/spyder-ide/spyder-kernels/security/advisories/new).
+Please be sure to carefully document the vulnerability, including a summary, describing the impacts, identifying the line(s) of code affected, stating the conditions under which it is exploitable and including a minimal reproducible test case.
+Further information and advice or patches on how to mitigate it is always welcome.
+You can usually expect to hear back within 1 week, at which point we'll inform you of our evaluation of the vulnerability and what steps we plan to take, and will reach out if we need further clarification from you.
+We'll discuss and update the advisory thread, and are happy to update you on its status should you further inquire.
+While this is a volunteer project and we don't have financial compensation to offer, we can certainly publicly thank and credit you for your help if you would like.
+Thanks!