Add requirement for documented security processes

[lizrice]

As discussed in TOC meeting Feb 16. The idea is not to impose any particular security processes, just to clarify that they must be in place.
I'm proposing that this should be in place at Incubation level, since we expect it to be in production with some users at that stage.

See also

• Review Security Vulnerability/Communication response policy for CNCF incubated/graduated projects tag-security#538 where SIG Security have offered to assess whether existing incubated / graduated projects have process in place
• Define and advocate a security reporting process for CNCF projects tag-security#183 on providing a template - TOC doesn't want to impose a specific process, but guidance for projects would be helpful

[caniszczyk]

let's leave this open until Friday morning, ping @cncf/toc for their +1s

[dims]

+1 from m.e

[lizrice]

not sure if I need to +1 my own PR but here it is 😀

[saad-ali]

/lgtm

+1

[rochaporto]

+1

[dzolotusky]

+1

[justincormack]

+1

[alena1108]

+1

[erinaboyd]

+1