feat(github): Add Security Policy

SECURITY.md

@@ -0,0 +1,27 @@
+# Security Policy
+
+## Supported Versions
+
+Noir is not fully audited and is not recommended for use in production.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| All versions | ❌ Not production ready |
+
+## Reporting a Vulnerability
+
+Noir sets out to be a secure language for developing zero-knowledge proofs. We thank you for taking the time to responsibly disclose any vulnerabilities you find.
+
+### Bugs vs Vulnerabilities
+
+Bugs are all unexpected behaviors in the system, while vulnerabilities are a subset of bugs that are abusable for malicious intents:
+- If your bug is not necessarily abusable for malicious intents, [create a public bug report](https://github.com/noir-lang/noir/issues/new?template=bug_report.yml)
+- If your bug is abusable, report it following the steps below
+
+### How to Report
+
+Report all vulnerabilities using ["Report a vulnerability"](https://github.com/noir-lang/noir/security/advisories/new), which will create a private GitHub security advisory, notify, and be accessible to a small security team who will scope out and execute next steps in addressing the vulnerability. The security team may reach out to you on GitHub for additional details and guidance.
+
+You may find GitHub's documentation on [best practices for writing repository security advisories](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories) useful for filling out the reporting form.
+
+Please **DO NOT** report vulnerabilities using public GitHub Issues. That would expose Noir projects to undesirable risks of being exploited.