Add SECURITY.md

SECURITY.md

@@ -0,0 +1,35 @@
+# Security Policy for CPAN::Audit
+
+## Reporting security issues
+
+**Do not report security problems on public forums or in repository
+issues.**
+
+Privately report vulnerabilities to the maintainers listed at the end
+of this document. Include as many details as possible to reproduce the
+issue, including code samples or test cases. Check that your report
+does not expose any of your sensitive data, such as passwords, tokens,
+or other secrets.
+
+You do not need to have a solution or fix. Depending on the issue,
+CPANSec may be notified. Depending on the issue, CPANSec may be
+notified.
+
+You can also privately report issues to the CPAN Security Group
+(CPANSec) <[email protected]>. This is especially
+important if you think a vulnerability is being actively exploited.
+CPANSec may report the issue to the relevant authorities. See [Report
+a Security Issue](https://security.metacpan.org/docs/report.html).
+
+## Response to reports
+
+The maintainers aim to respond to all reports within one day, but this
+may be affected by life and other things that happen to people who
+maintain open source code.
+
+A new release will be provided as soon as possible.
+
+## Maintainers
+
+* brian d foy, <[email protected]>
+