Add security policy to GraphQL-TSC.md

[benjie]

As discussed in https://github.com/graphql/tsc/discussions/5 and #825, this text was proposed by @brianwarner and has been lightly edited by myself.

According to making changes to this document:

Pull requests against this document that do not conflict with the Technical Charter can be merged provided the following conditions have been met:

• There are no outstanding objections
• There are two approvals by TSC members (not including the author)
• The PR has been open for at least 72 hours

TL;DR: this PR can be merged after 2022-02-06T14:40:00Z assuming it gets two approvals and no objections

[leebyron]

@brianwarner should we set up an email alias to have a more clear disclosure guidance?

[brianwarner]

Sure thing. "[email protected]"? Maybe going to you and the operations@ alias?

In my experience these tend to attract a lot of spam and emails from bug bounty farms, so it probably makes sense going to someone who can triage before passing it along.

[leebyron]

This email is up and running if you want to swap this language @benjie

[benjie]

Done 👍

[quapka]

Hi folks!

Have you considered adding a SECURITY.md file to the respective repositories? Landing here when looking for a security policy in one of the /graphql/* projects seems still non-trivial.

The same goes for the main website. Seems worth linking from contacts page to the policy.

[benjie]

I have one open for spec here: graphql/graphql-spec#930 but it might make sense to create it in the https://github.com/graphql/.github repo instead so it automatically applies to all repos (but can still be overridden if desired).

What do you think @graphql/tsc?