add security.md

Author: kumaF

SECURITY.md

@@ -0,0 +1,51 @@
+# Security Policy
+
+## Supported Versions
+
+We support security fixes for the latest released version and the `master` branch.
+
+| Version | Supported |
+| ------- | --------- |
+| Latest  | ✅        |
+| Older   | ❌        |
+
+## Reporting a Vulnerability
+
+If you believe you’ve found a security vulnerability, **please do not open a public GitHub issue**.
+
+Instead, report it privately using one of the following:
+
+### Preferred: GitHub Private Vulnerability Reporting
+- Go to: **Security** → **Advisories** → **Report a vulnerability**
+- Provide as much detail as possible (see “What to include” below).
+
+### Alternative: Email
+- Email: **[email protected]**
+
+## What to Include
+
+Please include:
+- A clear description of the issue and potential impact
+- Steps to reproduce (proof-of-concept if available)
+- Affected versions/branches
+- Any suggested fix or mitigation (if you have one)
+
+## Response Timeline
+
+We aim to:
+- Acknowledge receipt within **3 business days**
+- Provide a status update within **7 business days**
+- Release a fix as soon as practical based on severity and complexity
+
+## Coordinated Disclosure
+
+We follow coordinated disclosure practices. Please allow reasonable time to investigate and remediate before any public disclosure.
+
+## Security Updates
+
+Security fixes may be released as:
+- Patch releases
+- Advisory notes (GitHub Security Advisory)
+- Changelog entries (when appropriate)
+
+Thank you for helping keep this project and its users safe.