docs: add security escalation policy

[UlisesGascon]

👋 Hi everyone! We’re @UlisesGascon and @RafaelGSS, working with the OpenJS Foundation as part of the Alpha-Omega initiative. Our focus is supporting OpenJS projects in strengthening their security posture. We can help with things like:

• Reviewing or creating security documentation (e.g., SECURITY.md, incident response plans...)
• Supporting vulnerability handling and escalation (reporting, triage, CVEs, disputes)
• Reviewing repo configurations and GitHub security settings
• Sharing best practices (e.g., OSSF Scorecard)
• Answering general questions on licenses, compliance, or incident response

✨ We’re here as a resource for the QUnit team and happy to collaborate on whatever is most useful for you. Looking forward to working together!

References:

• doc: add minimal SECURITY.md template openjs-foundation/cross-project-council#1588
• https://openjsf.org/blog/openjs-foundation-cna
• https://openjsf.org/blog/security-support-for-openjs-projects

[Krinkle]

I suspect this phrasing came from a general OpenJS webpage or document. I've removed "if you cannot find a private security contact", because the contact is above it in the same document. I've also rephrased it in first person because the grammar felt odd when read in context of the Security policy, as presented within the QUnit project itself.

[UlisesGascon]

The current changes are fine. @Krinkle thanks for update the PR 👍