Org-wide security policy

[ianlewis]

It would be good to have an org-wide security policy that can cover all SLSA projects (we could also defer to OpenSSF, though theirs seems to be fairly minimal).

slsa-framework/slsa-github-generator#1262 contains a version of a security policy developed for slsa-github-generator that could be adapted for an org-wide policy.