We should add a SECURITY.md exposing all privacy/security issues while implementing a lightning client and requirement to mitigate them. To mention: * `payment_secret` [secure randomness](https://github.com/rust-bitcoin/rust-lightning/pull/441#discussion_r398954953) * broadcasting interface privacy leaks (end-goal is to internalize it but right now it's up to the user) * ChainWatchInterface and chain backend security tradeoffs * utxo pool size/population when CPFP * channel parameters value (congestion, dust inflation) * watchtower integration * key interface and key management * ChannelMonitor consistency and storage