github-friendly security policy

This is mostly to check off some extra check boxes on github.

Something similar as we have in Kea: Kea security policy. Also, BIND security policy.

This is just writing down what we already have spread out in several places, condensed and formatted in github friendly format. No specific process changes proposed.