Created Vulnerability Reporting (markdown)

Vulnerability-Reporting.md

@@ -0,0 +1,12 @@
+Per our [security policy](https://github.com/netbox-community/netbox/blob/develop/SECURITY.md), all potential vulnerabilities must be reported via email to `security@netboxlabs.com`.
+
+Initial triage of vulnerability reports is handled by the NetBox Labs support team, and valid reports are forwarded to the NetBox maintainers team for further investigation. A NetBox maintainer will then:
+
+* Validate the reported vulnerability
+* Determine its impact and severity
+* Create a (private) draft [GitHub security advisory](https://docs.github.com/en/code-security/security-advisories)
+* Coordinate with other maintainers to devise and implement a solution
+
+Once implemented, the solution will be shipped in the next stable release of NetBox. Particularly severe issues may warrant immediately releasing a new version of NetBox. Security advisories will be published after a stable release containing the fix has been available for some time.
+
+Please note that we do not issue or respond to CVEs, as these reports are entirely unmoderated and often inaccurate, redundant, and/or overstated with regard to actual impact on the product. ([This article](https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/) explores the challenges of dealing with nuisance CVEs.)