Proposed security disclosure policy

This post on internals is also relevant to Rust users, and we would appreciate feedback from everyone, so I'm cross-posting here for attention.