Adding security standards markdown and referencing both security and contributing guidelines from the root README.

Author: mattpolzin

README.md

@@ -27,6 +27,8 @@ A library containing Swift types that encode to- and decode from [OpenAPI](https
   - [Generating OpenAPI Documents](#generating-openapi-documents)
   - [Semantic Diffing of OpenAPI Documents](#semantic-diffing-of-openapi-documents)
 - [Notes](#notes)
+- [Contributing](#contributing)
+- [Security](#security)
 - [Specification Coverage & Type Reference](#specification-coverage--type-reference)
 
 ## Usage
@@ -255,5 +257,17 @@ This library *is* opinionated about a few defaults when you use the Swift types,
 
 See [**A note on dictionary ordering**](#a-note-on-dictionary-ordering) before deciding on an encoder/decoder to use with this library.
 
+## Contributing
+Contributions to OpenAPIKit are welcome and appreciated! The project is mostly maintained by one person which means additional contributors have a huge impact on how much gets done how quickly.
+
+Please see the [Contribution Guidelines](./CONTRIBUTING.md) for a few brief notes on contributing the the project.
+
+## Security
+The OpenAPIKit project takes code security seriously. As part of the Swift Server Workground incubation program, this project follows a shared set of standards around receiving, reporting, and reacting to security vulnerabilies.
+
+Please see [Security](./SECURITY.md) for information on how to report vulnerabilities to the OpenAPIKit project and what to expect after you do.
+
+**Please do not report security vulnerabilities via GitHub issues.**
+
 ## Specification Coverage & Type Reference
 For a full list of OpenAPI Specification types annotated with whether OpenAPIKit supports them and relevant translations to OpenAPIKit types, see the [Specification Coverage](./documentation/specification_coverage.md) documentation. For detailed information on the OpenAPIKit types, see the [full type documentation](https://github.com/mattpolzin/OpenAPIKit/wiki).

SECURITY.md

@@ -0,0 +1,43 @@
+# Security
+
+This document specifies the security process for the OpenAPIKit project.
+
+## Disclosures
+
+### Private Disclosure Process
+
+The OpenAPIKit maintainers ask that known and suspected vulnerabilities be
+privately and responsibly disclosed by emailing
+[[email protected]](mailto:[email protected])
+with the all the required detail.
+**Do not file a public issue.**
+
+#### When to report a vulnerability
+
+* You think you have discovered a potential security vulnerability in OpenAPIKit.
+* You are unsure how a vulnerability affects OpenAPIKit.
+
+#### What happens next?
+
+* A member of the team will acknowledge receipt of the report within 3
+  working days (United States). This may include a request for additional
+  information about reproducing the vulnerability.
+* We will privately inform the Swift Server Work Group ([SSWG][sswg]) of the
+  vulnerability within 10 days of the report as per their [security
+  guidelines][sswg-security].
+* Once we have identified a fix we may ask you to validate it. We aim to do this
+  within 30 days. In some cases this may not be possible, for example when the
+  vulnerability exists at the protocol level and the industry must coordinate on
+  the disclosure process.
+* If a CVE number is required, one will be requested from [MITRE][mitre]
+  providing you with full credit for the discovery.
+* We will decide on a planned release date and let you know when it is.
+* Prior to release, we will inform major dependents that a security-related
+  patch is impending.
+* Once the fix has been released we will publish a security advisory on GitHub
+  and in the Server → Security Updates category on the [Swift forums][swift-forums-sec].
+
+[sswg]: https://github.com/swift-server/sswg
+[sswg-security]: https://github.com/swift-server/sswg/blob/main/security/README.md
+[swift-forums-sec]: https://forums.swift.org/c/server/security-updates/
+[mitre]: https://cveform.mitre.org/