SECURITY.md: add file

Add details about Qt Project security policy. The SECURITY.md file
is now required by the yocto-check-layer script.

Pick-to: 6.9 6.8
Change-Id: Icbcd63bb15c0d106b1bde4c2b9c43aebe1031797
Reviewed-by: Mikko Gronoff <mikko.gronoff@qt.io>
Reviewed-by: Inkamari Harjula <inkamari.harjula@qt.io>
Reviewed-by: Ari Parkkila <ari.parkkila@qt.io>

SECURITY.md

@@ -0,0 +1,26 @@
+Qt Project Security Policy
+==========================
+
+The Qt Project specifies its security policy in [QUIP 15](https://contribute.qt-project.org/quips/15). A summary of the security policy:
+
+* Qt has a Core Security Team that enforces the security policy and addresses issues.
+* Proactive measures to prevent security issues - code reviews, code analysis, fuzz testing, and so on.
+* Reporting Security Issues: the Core Security Team monitors security issues for Qt modules and affected third-party components.
+* Handling Security Issues: the maintainers, Core Security Team, Chief Maintainer, and the Qt Company share and handle security issues.
+* Disclosure of confirmed security issues at Common Vulnerabilities and Exposures database and a public announcement to the Qt announce@qt-project.org mailing list.
+
+Reporting Security Issues
+-------------------------
+
+To report security issues in Qt Products, send an email to Security Mail List at security@qt-project.org.
+The Core Security Team monitors and moderates incoming emails on business days (excluding weekends).
+After sending an email to the Security Mail List, there will be an acknowledgment of receipt within
+two business days. If there is no response, then the reporter should contact the Chief Maintainer directly.
+
+What Versions of Qt are Covered by this Policy?
+-----------------------------------------------
+
+While we are interested in reports against any Qt version that is still maintained, fixes are only guaranteed to be provided for:
+
+* The latest released version.
+* The preceding minor version.