Summarize Squid Project security policy (#630)

As an added bonus, GitHub recognizes this file as one of the "Community
health" files and refers folks filing security issues to it.

SECURITY.md

@@ -0,0 +1,37 @@
+# Security Policy
+
+## Supported Versions
+
+Security-related reports are considered for official numbered releases
+starting with v3.5. However, issues that do not affect the current Stable or
+Beta series are unlikely to be fixed. Please see
+http://www.squid-cache.org/Versions/ for the list of releases that belong to
+the current series.
+
+Reports about security issues in the Development series are welcomed. However,
+development series contains experimental code that does not qualify for CVE
+allocation.
+
+
+## Reporting a Vulnerability
+
+To report security-sensitive bugs, please post to the squid-bugs mailing
+(list)[http://www.squid-cache.org/Support/mailing-lists.html#squid-bugs]. It
+is a closed list (although anyone can post), and security related bug reports
+are treated in confidence at least until the impact has been established.
+
+The security team strives to manually acknowledge each new report within 48
+hours. Please feel free to email a reminder if you have not heard from us
+within that time frame.
+
+As a _last_ resort (e.g., if the squid-bugs contact point appears to be
+broken), contact the release maintainer directly. The maintainer is on the
+security team but may not be able to respond promptly.
+
+
+### Encrypted reports
+
+Reporters wishing to encrypt their vulnerability reports can request GPG
+public keys from the security team members via the squid-bugs mailing list.
+Please note that encrypting reports may slow down their handling and is
+unlikely to improve the overall security of the process.

scripts/spell-check.sh

@@ -58,7 +58,7 @@ for FILENAME in `git ls-files "$@"`; do
     *.sh|\
     *.pre|\
     *.pl|*.pl.in|*.pm|\
-    *.dox|*.html|*.txt|\
+    *.dox|*.html|*.md|*.txt|\
     *.sql|\
     errors/templates/ERR_*|\
     INSTALL|README|QUICKSTART)