docs(security): add responsible disclosure policy (#11300)

README.md

@@ -50,7 +50,7 @@ $ npm install --save tedious # Microsoft SQL Server
 - [Contributing](https://github.com/sequelize/sequelize/blob/master/CONTRIBUTING.md)
 
 ## Responsible disclosure
-If you have any security issue to report, contact project maintainers privately. You can find contact information in [CONTACT.md](https://github.com/sequelize/sequelize/blob/master/CONTACT.md).
+If you have security issues to report please refer to our [Responsible Disclosure Policy](./SECURITY.md) for more details.
 
 ## Resources
 

SECURITY.md

@@ -0,0 +1,24 @@
+# Security Policy
+
+## Supported versions
+
+The following table describes the versions of this project that are currently supported with security updates:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 3.x   | :heavy_check_mark:   |
+| 4.x   | :heavy_check_mark:   |
+| 5.x   | :heavy_check_mark:   |
+
+## Responsible disclosure policy
+
+At Sequelize, we prioritize security issues and will try to fix them as soon as they are disclosed.
+
+If you discover a security vulnerability, please reach the project maintainers privately. You can find related information in [CONTACT.md](./CONTACT.md).
+
+After validating & discussing scope of security vulnerability, we will set a time-frame for patch distribution. This time-frame may vary depending upon the nature of vulnerability.
+
+Once effected versions are patched you may report security issue to any Node.js security vulnerability database. A few which we have worked with in past are listed below.
+
+- [NPM](https://www.npmjs.com/advisories/report)
+- [Snyk.io](https://snyk.io/vulnerability-disclosure)