Update security policy with threat model #304
Description
Our security policy should make clear that compromised indexes (including through MitM attacks or externally reconfigured PyManager installs) are outside of our threat model and are not considered vulnerabilities.
The index has the ability to provide arbitrary code to be executed on the user's machine by design, and so anything else that may be possible pales into insignificance if the index is not trustworthy. We also intentionally design for custom indexes, which means we cannot validate that the index being used matches the one published to python.org.
Specific vulnerabilities in the index hosted on python.org should be reported through the regular security channels, as they need to be fixed in the CPython release process, not here.