We should add a SECURITY.md

[real-or-random]

It's now good practice to have a SECURITY.md file that explains a well-defined process for reporting vulnerabilities. Core has this too:
https://github.com/bitcoin/bitcoin/blob/master/SECURITY.md

This is also a good chance to think about the process, i.e., who should actually be informed about vulnerabilities in this library. This is not completely obvious since this library somehow belongs to Bitcoin Core (I mean the software, not the "organization"/group of people) but on the other hand is maintained separately.

[elichai]

Maybe this question should go on to the mailing list / bitcoin/bitcoin issues too? so that the rest of the bitcoin community/maintainers could express their opinions.
I think it's a very good question.