Add security policy

README.md

@@ -303,3 +303,5 @@ The goal is practical: reduce noisy IAM alerts by adding identity context before
 ## Disclaimer
 
 All data is simulated. This project is defensive only. It does not collect credentials, use real API keys, connect to production tenants, or perform offensive exploitation.
+
+For public reporting boundaries and safe sample-data guidance, see [SECURITY.md](SECURITY.md).

SECURITY.md

@@ -0,0 +1,34 @@
+# Security Policy
+
+IdentityRiskGraph is a defensive portfolio project that uses simulated identity data, sample CloudTrail-style events, and optional public GitHub repository metadata.
+
+## Reporting
+
+If you notice a safety issue in the public content, open a GitHub issue with:
+
+- the affected file or feature
+- a short description of the concern
+- sanitized reproduction details, if relevant
+
+Do not include real credentials, tokens, private logs, customer data, tenant IDs, AWS account IDs, internal hostnames, private IP addresses, or screenshots from live environments.
+
+## Scope
+
+In scope:
+
+- accidental sensitive data exposure in committed samples
+- misleading detection or risk-scoring wording
+- unsafe public API usage patterns
+- broken examples that could confuse defensive analysis
+
+Out of scope:
+
+- requests to analyze private logs publicly
+- offensive expansion beyond defensive detection context
+- environment-specific allowlists or proprietary detections
+
+## Safe Usage
+
+The GitHub API adapter reads public repository metadata and prints local review notes. It does not store responses, write to GitHub, inspect private code, or treat metadata as a security verdict.
+
+All included IAM, device, event, and CloudTrail data is simulated and should not be treated as production evidence.