Add .github/SECURITY.md file, per best practices

.github/SECURITY.md

@@ -0,0 +1,36 @@
+# Reporting security issues
+
+This project's developers and community are committed to addressing security
+bugs promptly and effectively. We appreciate your efforts to disclose your
+findings responsibly, and will make every effort to acknowledge your
+contributions.
+
+Please **do not** use GitHub issues to report security vulnerabilities; GitHub
+issues are public, and doing so could allow someone to exploit the information
+before the problem can be addressed. Instead, please use the *Report a
+vulnerability* interface from the *Security* tab at the top of this GitHub
+repository page.
+
+<div align="center">
+<img width="75%" alt="Location of the report button on the repository page"
+    src="/.github/report-vulnerability-button.png">
+</div>
+
+Please report security issues in third-party modules to the person or team
+maintaining the module rather than this project's stewards, unless you believe
+that some action needs to be taken specifically with this project in order to
+guard against the effects of a security vulnerability in third-party software.
+
+## Responses to security reports
+
+The project stewards at Google Quantum AI will send a response indicating the
+next steps in handling your report. After the initial reply to your report, the
+project stewards will keep you informed of the progress towards a fix and full
+announcement, and may ask for additional information or guidance.
+
+## Additional points of contact
+
+Please contact the project stewards at Google Quantum AI via email at
+quantum-oss-maintainers@google.com if you have questions or other concerns. If
+for any reason you are uncomfortable reaching out to the project stewards,
+please email opensource@google.com instead.