Create SECURITY.md for clarity on support and reporting (#152)

Author: peter-matkovski

SECURITY.md

@@ -0,0 +1,29 @@
+# Security Policy
+
+## Supported Versions
+
+Security updates are only applied to the **latest minor release** on the `main` branch.
+
+## Reporting a Vulnerability
+
+At Stream we are committed to the security of our Software. We appreciate your efforts in disclosing vulnerabilities responsibly and we will make every effort to acknowledge your contributions.
+
+Report security vulnerabilities at the following email address:
+```
+[email protected]
+```
+
+**Do NOT open a public issue.**
+
+A representative of the security team will be in touch if more information is needed.
+
+### Information to include in a report
+While we appreciate any information that you are willing to provide, please make sure to include the following:
+* Which repository is affected
+* Which branch, if relevant
+* Be as descriptive as possible, the team will replicate the vulnerability before working on a fix.
+
+### Scope
+
+Only code in this repository is in scope.  
+Third-party services (hosted demo, npm registry, etc.) are handled separately.