Adopt a security issues policy
I think we can use something less severe than Tor's policy while we are still pre-1.0.0, but I think we should still track issues in any case: security issue tracking makes it easier to audit afterwards to find out how we can get better at security.
We should decide whether we track upstream issues or not. I'd like to say "not", but perhaps we should: so long as we are shipping a Cargo.lock and listing min-versions in our Cargo.toml files, we are sort of responsible for which versions we are listing?
Our first issues to put on the registry are:
- The link handshake validation issue I fixed with 11cd138c. I believe it predates the actual use of an issue tracker here.
- The environment-related bug in chrono that caused us to migrate to time.
- The string-slicing bug in simple_asn1.
Assigning to me, but I'd like feedback from anybody who's interested.