Add a SECURITY.md file (#1184)

Author: phillebaba

SECURITY.md

@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+The latest minor release of Spegel receives patch updates for critical security vulnerabilities on a best-effort basis.
+
+For guaranteed SLAs on security fixes and patches across multiple releases, enterprise support is available through [Kvick](https://kvick.dev).
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities through [GitHub Security Advisories](https://github.com/spegel-org/spegel/security/advisories/new). All reports are handled with priority.
+
+We aim to acknowledge reports within 7 days and release patches for critical vulnerabilities within 30 days.
+
+We request that security researchers follow responsible disclosure practices and allow us a reasonable time of 90 days to address the vulnerability before public disclosure.
+
+With your permission, we will acknowledge your contribution in the release notes of the patch version.