chore: add a formal security policy (SECURITY.md)

[koistya]

Summary

Establishes a formal security policy (SECURITY.md) to provide clear guidelines for reporting vulnerabilities and strengthen the project's security posture. This policy creates a structured framework for coordinated vulnerability disclosure, protecting both users and the project.

Key Components

• Clear reporting channel: Directs security reports to [email protected] instead of public channels
• Defined scope: Explicitly outlines what constitutes a valid security issue for the starter kit vs user implementations
• Transparent process: Sets clear expectations with 2-day acknowledgment, 7-day triage, and 90-day remediation targets
• Safe harbor protection: Provides legal protection for good-faith security researchers
• Security best practices: Includes guidance for users on environment variables, authentication, dependencies, and deployment

Why This Matters

A formal security policy is essential for any production-ready starter kit. It:

• Builds trust with enterprise users and security-conscious developers
• Prevents public disclosure of vulnerabilities before patches are ready
• Demonstrates the project's maturity and commitment to security
• Integrates with GitHub's security infrastructure for better visibility
• Follows industry standards from major JavaScript projects (Node.js, Next.js, etc.)

Implementation Notes

The policy is placed in .github/SECURITY.md which GitHub automatically recognizes and surfaces in:

• The "Security" tab of the repository
• A banner on the "New Issue" page directing security reports to the proper channel

This follows GitHub's recommended practices for coordinated vulnerability disclosure and aligns with the broader JavaScript ecosystem's security standards.