Create a security policy(SECURITY.md)

[Alexia]

This organization could use a security policy visible in the file root for reporting vulnerabilities on beta.gouv.fr and the Github organization.

This morning @Morendil invited me to the Github organization and granted me access to the beta.gouv.fr team. This immediately granted me access read and write to the team's repositories. This also gave me administrator access to https://beta.gouv.fr/admin/ and https://blog.beta.gouv.fr/admin/.

As far as I can tell my profile was not inspected to determine if I was the correct person that Morendil was attempting to invite.

[Morendil]

Hi @Alexia - thanks for the feedback. We are currently in the process of setting up a bug bounty (to launch in the next few days) and publishing a vulnerability disclosure policy (no schedule yet), which might well take the form of such a file.

Would you please contact me privately at the email address listed on my profile to review the events you mention above ?

[Morendil]

We have corrected the error and reconstituted the events leading up to it, and I'm confident your prompt notification will help in making the process more robust. Thanks again! It was a pleasure having you in the org, however briefly or erroneously.