Address Open SSF scorecard issues

[dtzar]

Address all high and medium issues found https://github.com/notaryproject/notation/security/code-scanning

• Create a security policy. This is a good template to consider.

[yizha1]

@dtzar Can we do it post rc.1?

[dtzar]

I would suggest the security policy template for vuln disclosure, Token Permissions, and Pinned Deps ones be done @ RC-1. I can't imagine all those things take more than ~1 day of work for one person and will have a big impact on the score and security. The rest, yes post RC-1.

[yizha1]

Confirmed to move this issue out of rc-1 scope. Now moved to "Discuss". We will review all the issues later for rc-2 release scope.

[yizha1]

Most of issues were fixed by PR #730 and #731.