Talk about typical use case & CDN removals

Author: scjody

SECURITY.md

@@ -6,6 +6,8 @@ The open source plotly.js library is provided "AS IS", with no security guarante
 In the 1.x releases of plotly.js, we attempt to protect against XSS attacks (and similar issues) resulting from
 untrusted data being graphed by plotly.js.  However, XSS or other issues may still exist.
 
+Note that the typical use case for plotly.js is for visualizing data from trusted sources.  For example if you use plotly.js to add a dashboard to your site and you control all the input data that's sent to plotly.js, you are not dependent on plotly.js for XSS protection.
+
 If you require a higher degree of assurance, please consider purchasing our
 [Plotly On-Premise](https://plot.ly/product/enterprise/) product, or [contact the Plotly sales team](mailto:[email protected])
 for more options.
@@ -25,6 +27,8 @@ plotly.js security fixes are normally released as "patch" releases on top of the
 
 Security fixes are also backported to older versions of plotly.js as required by paying Plotly On-Premise or Plotly Cloud customers.  These fixes are released as "patch" releases, and are made available to the community once affected customers have upgraded.  We also accept backports to older versions contributed by community members.
 
+Since the typical plotly.js use case involves trusted data, we do not remove old, potentially vulnerable versions from our GitHub repo or from our CDN.
+
 ## Advisories
 
 All plotly.js security advisories released after August 1, 2016 are available at the [Plotly Security Advisories](http://help.plot.ly/security-advisories/) page.