Define a security policy

[jpmcb]

cobra needs a security policy.

Generally, this should define:

• How users should report vulnerabilities
• How cobra maintainers respond
• How known security vulnerabilities and CVEs are communicated to the community

Inspiration from Open Web Application Security Project

We'd also like any input from the community since, in the end, all these policies serve the community

[jpmcb]

We do mention this in the contributing guide: #1601 (comment)

But we should create a SECURITY.md and enter these policies in GitHub

[github-actions]

The Cobra project currently lacks enough contributors to adequately respond to all issues. This bot triages issues and PRs according to the following rules:

• After 60d of inactivity, lifecycle/stale is applied. - After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied and the issue is closed.
  You can:
• Make a comment to remove the stale label and show your support. The 60 days reset. - If an issue has lifecycle/rotten and is closed, comment and ask maintainers if they'd be interseted in reopening