[Vulnerability reporting] How reporting security issues is set up now

[webknjaz]

I wanted to talk about how people can report security problems. Some time ago, I made https://github.com/aio-libs/.github/blob/master/SECURITY.md that shows up in all repositories in the org that don't have own SECURITY.md.
It mentions a shared e-mail that has everything forwarded to Andrew and me. It also suggests that it's used as the last resort with the preference of using GitHub's private security vulnerability. Earlier, not all repos had that enabled, so I made sure to enable this feature.

cc @achimnol @bdraco @Dreamsorcerer @hellysmile @jettify @mjpieters @Nothing4You @pohmelie @samuelcolvin @aio-libs/admins