📝 new iTop security policy (#85)

SECURITY.md

@@ -0,0 +1,36 @@
+# 🔒 Reporting vulnerabilities
+
+We take all security bugs seriously. Thank you for improving the security of iTop! We appreciate your efforts and
+responsible disclosure and will make every effort to acknowledge your contributions.
+
+
+## ✉️ How to report
+
+### iTop vulnerabilities
+Please send a procedure to reproduce iTop vulnerabilities to [itop-security@combodo.com](mailto:itop-security@combodo.com).
+
+You can send us a standard "given / then / when" report, including iTop version, impacts, and maybe installed modules or data if they are 
+needed to reproduce.
+
+### Dependencies vulnerabilities
+Report security bugs in third-party modules to the person or team maintaining the module, and notify us of this report by sending an email 
+to [itop-security@combodo.com](mailto:itop-security@combodo.com).
+
+
+
+## 📆 Disclosure Policy
+
+Report sent to us will be acknowledged within the week.
+
+Then, a Combodo developer will be assigned to the reported issue and will:
+
+* confirm the problem and determine the affected iTop versions
+* audit the code to search any potential similar problems
+* try to find a workaround if any
+* create fixes for all releases still under maintenance
+* send you the commit(s) for review
+* send you the next version(s) that will contain the fix, and the estimated release dates
+
+Security issues always take precedence over bug fixes and feature work.
+
+The assignee will keep you informed of the resolution progress, and may ask you for additional information or guidance.