docs: add security policy

Author: dougwilson

Diff for: SECURITY.md

@@ -0,0 +1,24 @@
+# Security Policies and Procedures
+
+## Reporting a Bug
+
+The `sqlstring` team and community take all security bugs seriously. Thank you
+for improving the security of this module. Your efforts and responsible disclosure
+and every effort will be made to acknowledge your contributions, as long as they
+were responsibility disclosed.
+
+Report security bugs by emailing the current owners of `sqlstring`. This information
+can be found in the npm registry using the command `npm owner ls sqlstring`.
+If unsure or unable to get the information from the above, open an issue
+in the [project issue tracker](https://github.com/mysqljs/sqlstring/issues)
+asking for the current contact information.
+
+To ensure the timely response to your report, please ensure that the entirety
+of the report is contained within the email body and not solely behind a web
+link or an attachment.
+
+At least one owner will acknowledge your email within 48 hours, and will send a
+more detailed response within 48 hours indicating the next steps in handling
+your report. After the initial reply to your report, the owners will
+endeavor to keep you informed of the progress towards a fix and full
+announcement, and may ask for additional information or guidance.