We need to create a process for individuals to be able to disclose security vulnerabilities responsibly.

I suggest:

• We create a "SECURITY.md" file with contact information of one/some people here who will be designated security contact.
• Add information to our README/Contributing guide as to how to disclose security issues (not open issues/PRs without contacting security etc)
• Discuses/publish our security patch processes and any backporting we intecnd to do (set the library users expectations)