docs: add SECURITY.md

Add security policy to provide clear guidelines for reporting vulnerabilities and security best practices for contributors.

Author: zichen0116

SECURITY.md

@@ -0,0 +1,41 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| latest  | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly.
+
+**Please do NOT open a public issue for security vulnerabilities.**
+
+Instead, please send an email to the project maintainers or use GitHub's private vulnerability reporting feature.
+
+### What to include
+
+- A description of the vulnerability
+- Steps to reproduce the issue
+- Possible impact of the vulnerability
+- Any suggested fixes (if applicable)
+
+### Response Timeline
+
+- **Acknowledgment**: Within 48 hours
+- **Initial assessment**: Within 1 week
+- **Fix or mitigation**: Depends on severity, typically within 2-4 weeks
+
+### After Reporting
+
+- The security team will validate the vulnerability
+- We will work on a fix and coordinate disclosure
+- Credit will be given to the reporter (unless anonymity is requested)
+
+## Security Best Practices for Contributors
+
+- Keep dependencies up to date
+- Avoid committing sensitive information (API keys, passwords, tokens)
+- Follow secure coding practices
+- Review code changes for potential security implications