Feature: Add SECURITY.md and update README.md

Closes #3405

README.md

@@ -32,10 +32,14 @@ the demo page: `Admin / ipamadmin`
 Community maintained docker images are available at https://hub.docker.com/u/phpipam
 
 ## Changelog
-See misc/CHANGELOG
+See [misc/CHANGELOG](misc/CHANGELOG)
 
 ## Roadmap
-See misc/Roadmap
+See [misc/Roadmap](misc/Roadmap)
+
+## Security
+
+See [SECURITY.md](SECURITY.md)
 
 ## Contact
 miha.petkovsek@gmail.com
@@ -46,4 +50,4 @@ that is used for development of phpIPAM and for demo site.
 And also to all users that filed a bug report / feature report and helped with feature testing!
 
 ## License
-phpIPAM is released under the GPL v3 license, see misc/gpl-3.0.txt.
+phpIPAM is released under the GPL v3 license, see [misc/gpl-3.0.txt](misc/gpl-3.0.txt).

SECURITY.md

+# Security Policy
+
+## Supported Versions
+
+The development branch and non-obsolete production branches listed in [README.md](README.md) are supported with security updates.
+
+Issues only in feature testing (non-production) branches should be reported via the GitHub issue tracker.
+
+## Reporting a Vulnerability
+
+Please report suspected security vulnerabilities to the contacts below. We will aim to acknowledge your email within 48 hours but could be longer (holidays etc...)
+
+- Gary Allan (maintainer) github@gallan.co.uk
+- Miha Petkovsek (owner) miha.petkovsek@gmail.com
+
+## Guidelines
+
+CVE numbers will not be provided by the phpIPAM project due to lack of resources to manage their lifecycle. If you require a CVE number please obtain prior to reporting a vulnerability and include with your submission.
+
+Issues that are the responsibility of end-users such as use of weak passwords or choice to deploy with HTTP vs HTTPS will be rejected.
\ No newline at end of file