Add a company wide SECURITY.md?

[sed-i]

We should probably add a SECURITY.md file to all relevant repos.

Perhaps we could link to a company-wide SECURITY.md (example)?

[eslerm]

Yes please \o/

Please see https://warthogs.atlassian.net/browse/SEC-4238

As I understand it, we are waiting for GitHub Private Security Reporting to be officially ACK'd before proceeding (so that projects can decide if they want e-mail or GH reporting in the SECURITY.md).

The proposed text is loosely based on the OpenSSF's suggestions:

To report a security issue, please email security@ubuntu.com with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.

Our vulnerability management team intends to respond within 3 working days of your report. If the issue is confirmed to be a vulnerability we will assign a CVE. This project aims to resolve all vulnerabilities within 90 days.

The Ubuntu Security disclosure and embargo policy contains more information about what you can expect when you contact us, and what we expect from you.

(Projects may elect to change the email contact, this is just the default suggestion.)