RFC: Create SECURITY.md (mne-tools#8358)

* Create SECURITY.md

WIP.  Needs discussion about preferred reporting method for security vulnerabilities, if any are ever discovered.

Also this file would need to get updated every time a release is made, so the release process wiki should be edited to mention that.

* add email address

* Let Eric finish my sentences :)

Co-authored-by: Eric Larson <[email protected]>

* expand based on example in MPL repo

Co-authored-by: Eric Larson <[email protected]>

[ci skip]

SECURITY.md

@@ -0,0 +1,30 @@
+# Security Policy
+
+## Supported Versions
+
+New minor versions of MNE-Python are typically released twice per year.
+Only the most current stable release is officially supported.
+The unreleased, unstable "dev version" is also supported, though users
+should beware that the API of the dev version is subject to change
+without a proper 6-month deprecation cycle.
+
+| Version | Supported                |
+| ------- | ------------------------ |
+| 0.22.x  | :heavy_check_mark: (dev) |
+| 0.21.x  | :heavy_check_mark:       |
+| < 0.21  | :x:                      |
+
+## Reporting a Vulnerability
+
+MNE-Python is software for analysis and visualization of brain activity
+recorded with a variety of devices/modalities (EEG, MEG, ECoG, fNIRS, etc).
+It is not expected that using MNE-Python will lead to security
+vulnerabilities under normal use cases (i.e., running without administrator
+privileges). However, if you think you have found a security vulnerability
+in MNE-Python, **please do not report it as a GitHub issue**, in order to 
+keep the vulnerability confidential. Instead, please report it to
+[email protected] and include a description and proof-of-concept
+that is [short and self-contained](http://www.sscce.org/).
+
+Generally you will receive a response within one week. MNE-Python does not
+award bounties for security vulnerabilities.