Disclosure policy. Define the procedure for what a reporter who finds a security issue needs to do in order to fully disclose the problem safely, including who to contact and how. Consider HackerOne’s community edition or simply a ‘security@’ email.
Security Update policy. Define how you intend to update users about new security vulnerabilities as they are found.
Security related configuration. Settings users should consider that would impact the security posture of deploying this project, such as HTTPS, authorisation and many others.