docs: add Security Policy

SECURITY.md

@@ -0,0 +1,22 @@
+# Security Policy
+
+## Supported Versions
+
+At the moment Oh My Zsh only considers the very latest commit to be supported.
+We combine that with our fast response to incidents, so risk is minimized.
+
+| Version        | Supported          |
+|:-------------- |:------------------ |
+| master         | :white_check_mark: |
+| other commits  | :x:                |
+
+In the near future we will introduce versioning, so expect this section to change.
+
+## Reporting a Vulnerability
+
+If you find a vulnerability, email all the maintainers directly at:
+
+- Robby: robby [at] planetargon.com
+- Marc: hello [at] mcornella.com
+
+**Do not open an issue or Pull Request directly**, because it might reveal the vulnerability.