Added security policy

SECURITY.md

@@ -0,0 +1,37 @@
+# Security Policy
+
+## Reporting Vulnerabilities
+
+Thank you for your collaboration keeping Thymeleaf safe and secure. If you believe you have found a security
+issue in Thymeleaf, please notify us so that we can work with you in its prompt resolution.
+
+### Disclosure Policy
+
+* Let us know as soon as possible by sending an email to [[email protected]](mailto:[email protected]).
+* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a
+  third-party. Especially, **do not** create a GitHub issue ticket yourself talking about the
+  vulnerability. We may publicly disclose the issue _before_ resolving it, but only if appropriate.
+
+### Credit
+
+We will credit the reporter of a confirmed vulnerability in the GitHub ticket created for publishing it (typically
+once it is fixed).
+
+### Exclusions
+
+We reserve the right to consider out of the scope of Thymeleaf's security:
+
+* Developer bad practices and inadequate uses of Thymeleaf that effectively _create_ the vulnerability in
+  the applications being developed with Thymeleaf.
+* Attacks requiring physical access to the machine Thymeleaf is running on.
+* Issues in Thymeleaf's software dependencies which can be reported to these dependencies' maintainers.
+
+
+## Supported Versions
+
+  * 3.1.x is the current development line. This version is **not** recommended for production use yet.
+  * 3.0.x is the latest production line (GA as of May 2016) and is under active support.
+  * 2.1.x and previous versions are no longer supported. No further maintenance
+    and security patches are planned in those lines.
+
+At this point, we recommend upgrading to the latest Thymeleaf 3.0.x release.