Added security policy

Author: kukulich

.github/SECURITY.md

@@ -0,0 +1,24 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If there are any vulnerabilities in **Slevomat Coding Standard**, don't hesitate to _report them_.
+
+1. Use the [private email address](https://www.slevomat.cz/.well-known/security.txt).
+2. Describe the vulnerability.
+
+	If you have a fix, that is most welcome -- please attach or summarize it in your message!
+
+3. We will evaluate the vulnerability and, if necessary, release a fix or mitigating steps to address it. We will contact you to let you know the outcome, and will credit you in the report.
+
+	Please **do not disclose the vulnerability publicly** until a fix is released!
+
+4. Once we have either a) published a fix, or b) declined to address the vulnerability for whatever reason, you are free to publicly disclose it.
+
+## Tidelift subscribers
+
+If you're a [Tidelift](https://tidelift.com/) subscriber, please use this route instead:
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.