add guidelines for stage 3 reviewers that includes a mention of security review

[michaelficarra]

At the Nov 2018 breakout session, we thought it might be valuable for stage 3 reviewers to have guidelines for what to consider during review. We could encourage them to consider security by including it in the guidelines. @natashenka has offered to put together a PR for the process document that would include this section, then present it to the committee at a future meeting.

[ljharb]

This sounds like a great addition to tc39/process-document#18 :-D "Security" could be one of the risk areas defined at an early stage, that's evaluated as part of stage 3.

[michaelficarra]

The W3C (https://www.w3.org/TR/security-privacy-questionnaire/) and IETF (https://datatracker.ietf.org/doc/html/rfc3552) each have security consideration guidelines. We can take inspiration from these documents.