fdk-aac lacks a SECURITY.md

If a vulnerability is found in fdk-aac, a researcher will not know how to privately raise the issue with your developers. The only places I could find to report is on this public issue tracker or on public mailing lists.

By defining a Security Policy, fdk-aac can set clear expectations to reporters who want to keep fdk-aac and users safe.

Here's GitHub Security's policy as an example. Another option is to use GitHub's private vulnerability reporting feature.

Since fdk-aac syncs from https://android.googlesource.com/platform/external/aac (or https://sourceforge.net/projects/opencore-amr/ ?) it might be most appropriate if the SECURITY.md points to where to report issues upstream.

#167 was reported by @jslarraz to Android VRP. Android requested a PoC and directed him to https://bughunters.google.com/learn/invalid-reports/android-platform/5148417640366080/bugs-with-negligible-security-impact#unreachable-bugs