Create an initial Security.md document.

SECURITY.md

@@ -0,0 +1,25 @@
+# Security Policy
+
+## Supported Versions
+
+Only the `master` branch of the library will receive security updates.
+Security updates will **NOT** be applied to any previously published or released versions.
+
+A new release version of the library will be published, _if required_, to address any security updates.
+
+
+## Reporting a Vulnerability
+
+Please report any _sensitive_, _critical_, or _urgent_ vulnerablities directly to _David Conran ([email protected])_ **and** _Christian Nilsson ([email protected])_.
+
+After we have assessed the issue, we will work out how we will handle the matter and let you know how to proceed.
+
+If the vulnerablity is neither _sensitive_, _critical_, or _urgent_, please just create a <a href="https://github.com/crankyoldgit/IRremoteESP8266/issues/new/choose">new issue</a> as per normal.
+
+You _should_ receive an initial response with in **48** _(or so)_ hours typically.
+You _should_ get updates on a security vulnerability report with in a week, probably much sooner.
+This project is supported completely on a ad-hoc volounteer basis, and has only a handful of main contributers so there could be unforseen delays. e.g. Vacations etc.
+
+If you don't hear from anyone with in _two weeks_ & you think you should have, it's probably safe to assume we have missed you're messages. Please try again, or via another method or channel.
+
+We will endeavour to keep the issue reporter(s) in the loop as much as practical, and address the reported issue as soon as feasible.