docs: Create SECURITY.md with responsible disclosure policy

SECURITY.md

@@ -0,0 +1,40 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| latest (main) | ✅ |
+| older releases | ❌ |
+
+## Reporting a Vulnerability
+
+**Do not open a public GitHub issue for security vulnerabilities.**
+
+Report vulnerabilities privately via GitHub's [Security Advisories](https://github.com/XStreamRollz/XStreamRoll/security/advisories/new) or by emailing the maintainers directly (see repository contact info).
+
+Include:
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Any suggested fix (optional)
+
+## Response SLA
+
+| Severity | Acknowledgment | Resolution Target |
+|----------|---------------|-------------------|
+| Critical | 48 hours | 7 days |
+| High | 48 hours | 14 days |
+| Medium/Low | 48 hours | 30 days |
+
+## Disclosure Policy
+
+We follow **coordinated disclosure**:
+
+1. You report privately.
+2. We acknowledge within 48 hours.
+3. We work on a fix and keep you informed.
+4. Once a fix is released, we credit you (unless you prefer anonymity) and publish a security advisory.
+5. Public disclosure happens after the fix is available.
+
+Thank you for helping keep XStreamRoll secure.