Add security policy statement

SECURITY.md

@@ -0,0 +1,37 @@
+# Security Policy
+
+Security issues specific to the PnetCDF code base itself have so far been rare.
+The issue label, `security` is used to identify issues which manifest known
+security vulnerabilities.
+
+Security issues, when discovered, follow the same process as any other bug
+fixes.  Security issues are triaged and assessed for severity and likelihood.
+Work to correct security issues is then scheduled as appropriate.
+
+Though the project has so far not encountered urgent security vulnerabilities,
+should any arise the project will use GitHub's security communication
+mechanisms to gather information.
+
+In the event the PnetCDF user community requires notification of a potential
+urgent security vulnerability, our intention is to provide an update on or
+about the same time we use our normal communication mechanisms to alert users.
+
+## Supported Versions
+
+The supported version of PnetCDF is the *latest* release.
+All releases of PnetCDF can be found on the
+[download page](https://parallel-netcdf.github.io/wiki/Download.html).
+
+Any security issues requiring immediate updates to PnetCDF will be made
+available, at best, only in the *latest* release but might also only be made
+available in the *next* planned release.  A planned release of PnetCDF may be
+accelerated in order to address a security issue.  On very rare occasions, the
+PnetCDF project may re-release an already released version solely to address a
+specific or severe issue.
+
+## Reporting a Vulnerability
+
+Generally, any issues with security implications should be submitted through
+the project's [GitHub security](https://github.com/Parallel-NetCDF/PnetCDF/security)
+**Report a vulnerability** button.
+