Add additional SECURITY.md copy (keystonejs#7405)

* add security link

* add additional copy

README.md

@@ -72,6 +72,10 @@ We do our best to catch this but recommend updating Keystone packages together t
 
 KeystoneJS adheres to the [Contributor Covenant Code of Conduct](/CODE-OF-CONDUCT.md).
 
+## Security
+
+For vulnerabilty reporting, please refer to our [security policy](/SECURITY.md).
+
 ## License
 
 Copyright (c) 2021 Thinkmill Labs Pty Ltd. Licensed under the MIT License.

SECURITY.md

@@ -5,3 +5,14 @@
 If you have a security flaw to report for any software in this repository, please don't hesitate to contact us at [[email protected]](mailto:[email protected]).
 
 For feature requests, support questions or other issues, [please use GitHub](https://github.com/keystonejs/keystone/issues/new/choose).
+
+## Auditing and testing
+
+Keystone has not endured publicly-disclosable penetration testing or been professionally audited, and at this time our automated test coverage has a low emphasis on enterprise security considerations.
+
+When deploying, we currently recommend not placing Keystone at the hard edge of your infrastructure - instead opting for appropriate defence-in-depth measures such as web application firewalls, reverse proxies and or caching and load balancing infrastructure.
+
+The Keystone team holds security and security-related issues in high regard; and we issue GitHub security advisories (following a CVE process) for security vulnerabilities that are reported to us or discovered by our team.
+Without enduring a publicly-disclosable penetration test, we do not currently recommend using KeystoneJS in hostile environments or for securing highly sensitive data (such as financial or medical information).
+
+Keystone is an open source project, and thereby uses open source security tooling including GitHub security advisories, [dependabot](https://github.com/dependabot) and [renovate](https://github.com/renovatebot/renovate) to monitor and update our dependencies.