Add proposed security policy

[reinecke]

Fixes #1790
Fixes #1407

Summarize your change.

Adds a SECURITY.md file with basic documentation of how to report vulnerabilities and out security practices.

DO NOT MERGE UNTIL security@opentimeline.io is created

To discuss

I matched OpenEXR's response times for vulnerabilities, does that make sense for us?

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.13%. Comparing base (a71b292) to head (ab0c72f).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1803   +/-   ##
=======================================
  Coverage   85.13%   85.13%           
=======================================
  Files         181      181           
  Lines       12783    12783           
  Branches     1206     1206           
=======================================
  Hits        10883    10883           
  Misses       1717     1717           
  Partials      183      183           

Flag	Coverage Δ
py-unittests	85.13% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a71b292...ab0c72f. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jmertic]

Test of security@opentimeline.io completed - https://lists.aswf.io/g/otio-tsc-private/topic/test/109188441

[reinecke]

@jminor mentions:
We should make sure we as the TAC are clear about who's responsible for responding within the 48 hours and what that response should look like.
Is it just an e-mail?