Update security section of README

[joshbruce]

Marked version: 0.3.17

Description

Recommendation from @davisjam via comment on #1083 seemed like a good one to me and more in keeping with standard operating procedures within the broader open source community regarding reporting and resolution of security issues (thanks for the education). Modified language to use "committers" and explicitly call out NPM owners.

Right now @chjj and I get all the security-related emails because we are the listed owners of the package in NPM. Having said that, I'm not sure there's much he and I are able to actually do to resolve them (for various reasons).

Might be nice to add emails (or something) for the committers on the AUTHORS page (see Django, for example)...?? I'm all about consent checks, especially with someone's contact information.

Collaborating with someone like @davisjam becomes difficult to accomplish via the internal discussion board (unless I'm showing my ignorance again) because he is not part of the "team" according to GitHub; so, email might be an appropriate alternative.

Contributor

• Test(s) exist to ensure functionality and minimize regresstion (if no tests added, list tests covering this PR); or,
• no tests required for this PR.
• If submitting new feature, it has been documented in the appropriate places.

Committer

In most cases, this should be a different person than the contributor.

• Draft GitHub release notes have been updated.
• cm_autolinks is the only failing test (remove once CI is in place and all tests pass).
• All lint checks pass (remove once CI is in place).
• CI is green (no forced merge required).
• Merge PR

[joshbruce]

Merging. @davisjam, this is more your area of expertise; so, please update as you see fit.

[davisjam]

LGTM