[TASK] Add SECURITY.md

SECURITY.md

@@ -0,0 +1,35 @@
+# Security Policy
+
+## Supported Versions
+
+The following matrix shows the versions that are currently maintained.
+
+| Version | Supported          |
+|---------|--------------------|
+| 2.x     | :white_check_mark: |
+| 1.5.x   | :white_check_mark: |
+| < 1.5.0 | :x:                |
+
+## Reporting a Vulnerability
+
+Please report potential vulnerabilities to the TYPO3 Security Team either
+
+* by reaching out to [security@typo3.org](mailto:security@typo3.org), or
+* by [reporting a new vulnerability via GitHub](https://github.com/TYPO3/html-sanitizer/security/advisories/new)
+
+### Message Encryption
+
+It is possible to send GPG/PGP encrypted emails to security@typo3.org using key id
+`C05FBE60` (complete fingerprint `B41C C3EF 373E 0F5C 7018 7FE9 3BEF BD27 C05F BE60`):
+
+* download [public key file from keys.openpgp.org](https://keys.openpgp.org/vks/v1/by-fingerprint/B41CC3EF373E0F5C70187FE93BEFBD27C05FBE60)
+* download [public key file from typo3.org](https://typo3.org/fileadmin/t3o_common_storage/keys/B41CC3EF373E0F5C70187FE93BEFBD27C05FBE60.asc)
+
+## TYPO3 Release Dates / "Patchday"
+
+TYPO3 releases (including potential security fixes) are usually released
+on Tuesdays (except for holidays like Christmas or New Year's Day).
+
+[Maintenance releases](https://typo3.org/cms/roadmap/maintenance-releases)
+for stable versions have been scheduled in advance - it is very likely that
+security fixes are released during these dates as well.