security bug reporting system

[jskinne3]

We'll need a mechanism for people to report security flaws and vulnerabilities confidentially

[lsd-cat]

I would just enable the private vulnerability reporting on this repository on github, it generally works pretty well and is also a good experience for the reporter who can be automatically credited and follow the disclosure process, I wrote this but we can review it https://docs.webcat.tech/security.html