Create Security Policy for the Devfiles Org

[thepetk]

/kind user-story
/kind epic

Which area this user story is related to?

/area api
/area library
/area registry
/area alizer
/area landing-page

User Story

As part of the CNCF Defender EPIC it is recommended to add a security-policy. As part of the security policy it is also recommended to add:

• A security threat model, as part of the security-artifacts inside the SECURITY-INSIGHTS.yaml of each repo. The thread model can be the same for every devfile org repo. An example threat model is here: https://github.com/cncf/financial-user-group/blob/main/projects/k8s-threat-model/README.md
• A vulnerability reporting process, which about how to report properly a security issue.

Both the threat model and the vulnerability report process can be part of a more generic Security.md file which also can define additional policies and procedures followed by the devfile org.

Acceptance Criteria

• [Spike] Investigate a security threat model for devfiles org #1462
• [Spike] Investigate a vulnerability report process #1463
• Implement security policy for devfile/api #1629

[Jdubrick]

In addition to what Fanis states in the description, the Security.md file will most likely contain the same information for all repositories contained as part of #1297