SECURITY.md: add to all layers

SECURITY.md is a standard way to include information on how to
report a vulnerability in a project. Add it to all layers that
can be considered a separate work and could be copied by users.

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>

SECURITY.md

+<!--
+SPDX-FileCopyrightText: Huawei Inc.
+
+SPDX-License-Identifier: CC-BY-4.0
+-->
+
+# How to report a vulnerability?
+
+If you think you have found a security issue in our distribution, please
+contact us immediatelly by posting a confidential issue in our bug
+tracker in a [dedicated security project](https://booting.oniroproject.org/security/bugtracker/-/issues).
+
+To do so, login into our issue tracker or create a new account if you do not
+have one yet. Click on `New issue`, then make sure to check the checkbox at
+the bottom
+`This issue is confidential and should only be visible to team members with at least Reporter access`.
+Please use the `Issue` type of ticket and the associated template. Fill in the
+title, answer the questions in the `Description` field. Then click
+`Create issue`.
+
+Your report should contain a description of the issue, the steps you took to
+reproduce the issue (including the image name), affected versions, and,
+if known, any mitigations for the issue.
+
+We plan to add a security-related mailing list and a possibility to send
+GPG-encrypted email in the near future.
+
+We aim to acknowledge the reception within one working day, and responding
+with a first assessment within three working days. We follow a 90 days
+disclosure timeline.
+
+We will be happy to acknowledge your work in the vulnerability
+announcement, and will do so if you do not object.

docs/SECURITY.md

+SECURITY.md
\ No newline at end of file

meta-oniro-blueprints/SECURITY.md

+SECURITY.md
\ No newline at end of file

meta-oniro-core/SECURITY.md

+SECURITY.md
\ No newline at end of file

meta-oniro-staging/SECURITY.md

+SECURITY.md
\ No newline at end of file