Add SECURITY.md with vulnerability reporting guidelines

Introduces a security policy describing how to responsibly report
memory safety and other security vulnerabilities.

security.md

@@ -0,0 +1,38 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in pocketpy, please report it responsibly.
+
+Do NOT open a public GitHub issue for security-sensitive bugs.
+
+Instead, report the issue privately by contacting the maintainers with:
+
+- A clear description of the vulnerability
+- Steps to reproduce the issue
+- A minimal proof-of-concept (if possible)
+- Environment details (OS, compiler, version, build flags)
+
+Examples of security issues include:
+
+- Heap-buffer-overflow
+- Stack-buffer-overflow
+- Use-after-free
+- Out-of-bounds read/write
+- Crashes triggered by crafted input
+
+## Response Process
+
+After receiving a report, maintainers may:
+
+1. Confirm and reproduce the issue
+2. Investigate and prepare a fix
+3. Release a patched version
+4. Publicly disclose the issue after it is resolved
+
+Please allow reasonable time for investigation and remediation before public disclosure.
+
+## Supported Versions
+
+Security fixes are typically applied to the latest development version.
+Older versions may not receive patches.