Add SECURITY.md There was no mention of our security email address, nor of our security process, in the repo, which made them hard to discover for contributors. Also, this filename is recognized by github: https://docs.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

commit: a21abf249cdfd12ef71fb72e69ff06372e81bbe3 [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Feb 25 11:41:38 2021 +0100
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Feb 25 12:50:42 2021 +0100
tree: 5194f037c592fc8fc9851c052ff816c1c2789202
parent: e699739f289f6009214f4e16ea53d5936615c57f [diff]
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..baf4468
--- /dev/null
+++ b/SECURITY.md

@@ -0,0 +1,18 @@
+## Reporting Vulneratibilities
+
+If you think you have found an Mbed TLS security vulnerability, then please
+send an email to the security team at
+<mbed-tls-security@lists.trustedfirmware.org>.
+
+## Security Incident Handling Process
+
+Our security process is detailled in our [security
+center](https://developer.trustedfirmware.org/w/mbed-tls/security-center/).
+
+Its primary goal is to ensure fixes are ready to be deployed when the issue
+goes public.
+
+## Maintained branches
+
+Only the maintained branches, as listed in BRANCHES.md, get security fixes.
+Users are urged to always use the latest version of a maintained branch.
commit	a21abf249cdfd12ef71fb72e69ff06372e81bbe3	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu Feb 25 11:41:38 2021 +0100
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu Feb 25 12:50:42 2021 +0100
tree	5194f037c592fc8fc9851c052ff816c1c2789202
parent	e699739f289f6009214f4e16ea53d5936615c57f [diff]