Add doc about Security vulnerability (in GDAL)

[nicowaisman]

Hey team,
We found a series of Critical vulnerabilities in Titiler, two of them allow to arbitrary read files and one of them to remotely execute commands.
We report one of them at info@developmentseed.org, but never got an answer.

What should be the best way to report them?

[vincentsarago]

Can you send them to vincent@develomentseed.org

If they are related to VRT it's not a titiler "issue" but more a GDAL or user issue

[vincentsarago]

I'm going to put this as a wontfix because it's a known issue on GDAL side https://gdal.org/en/stable/user/security.html#gdal-vrt-driver

There is few things titiler can do. Users can easily write a custom reader which won't accept VRT (or using GDAL_SKIP="VRT" env variable)

I've started an issue and GDAL to see if we could improve this OSGeo/gdal#12645

[gbip]

Maybe those security settings of GDAL should be documented somewhere in TiTiler ?

[vincentsarago]

Absolutely, I'll be more than happy to review PRs

[vincentsarago]

Also FYI this should be resolved with OSGeo/gdal#12669 but only in GDAL 3.12 (rasterio wheels are shipped with 3.9 at the moment)

[vincentsarago]

Let's add a SECURITY.md