Add a security policy

[vks]

We could use GitHub's security tab with the following SECURITY.md:

# Security Policy

## Supported Versions

The following versions of Rand are currently being supported with security updates:

| Version | Supported          |
| ------- | ------------------ |
| 0.7.x   | :white_check_mark: |
| < 0.7.0 | :x:                |

## Reporting a Vulnerability

To report a vulnerability, just [open an issue](https://github.com/rust-random/rand/issues/new).
Once the issue is resolved, the vulnerability should be [reported to RustSec](https://github.com/RustSec/advisory-db/blob/master/CONTRIBUTING.md).

[dhardy]

But is it useful?

[vks]

Well, we might want to have an advisory for the undefined behavior that was fixed with Rand 0.7.0.

[dhardy]

True. We did backport (#853) so users should be recommended to upgrade to rand_core 0.4.2 or 0.5.0.

[vks]

I opened rustsec/advisory-db#149.

[dhardy]

@tarcieri perhaps you have an opinion on whether this is useful enough to justify yet-another-piece-of-documentation?

The only explicit information it adds is a list of which versions will receive security updates — yet (a) this doesn't rule out backports (e.g. #853) and (b) this doesn't even attempt to answer the question of when a potential security issue is worth addressing (e.g. #699 prompted us to avoid use of JitterRng going forward, but not to patch old releases — something that may have been disruptive since #804 highlights a bug in our old OsRng code (in a case where JitterRng presumably also failed)).

[tarcieri]

I think it's useful, particularly documenting the "bar" for a CryptoRng. FWIW, we rejected rustsec/advisory-db#149 as unexploitable.