add security policy

Updated the security policy to include reporting guidelines and responsible disclosure practices.

Author: jacklowrie

SECURITY.md

@@ -0,0 +1,36 @@
+# Security Policy
+
+Thank you for your interest in keeping Chordnet secure! As a single-developer project, I appreciate your help in reporting any vulnerabilities you may find.
+
+## Reporting a Vulnerability
+
+If you discover a security issue, **please do not open a public issue**. Instead, email me directly at [[email protected]] with details.
+
+- Provide as much information as possible to help reproduce and address the issue (e.g., steps to reproduce, environment, affected versions, and any relevant logs or screenshots).
+- I aim to acknowledge security reports within **7 days**. Resolution or a fix may take longer depending on complexity and my availability, but I will keep you updated.
+- If you are able to help fix the issue, that is welcome! We can coordinate through the emailed report.
+- Please give me a reasonable amount of time to address the issue before any public disclosure.
+
+## Scope
+
+This policy applies to the Chordnet repository and its published releases. Issues with third-party dependencies should be reported upstream.
+
+## Responsible Disclosure
+
+Please avoid publicly disclosing vulnerabilities without prior coordination. I appreciate your patience and cooperation while I work to resolve any security concerns.
+
+## Out of Scope
+
+- Denial of Service (DoS) via resource exhaustion (unless it’s trivial to prevent)
+- Social engineering attacks
+- Issues in dependencies not maintained by this project
+- Vulnerabilities in projects that use chordnet (where the fix is unique to the project, in the project's source code, and/or not a vulnerability specific to chordnet)
+
+## Contact
+
+Email: [[email protected]]  
+GitHub: [https://github.com/jacklowrie](https://github.com/jacklowrie)
+
+---
+
+Thank you for helping keep Chordnet safe for everyone!