chore: Update license year to 2026 and add security policy document

Author: feynon

LICENSE.txt

@@ -1,6 +1,6 @@
 Dual MIT/Apache-2.0 License
 
-Copyright (c) 2025 Tiles and Contributors
+Copyright (c) 2026 Tiles Privacy and Contributors
 
 Except as otherwise noted in individual files, this software is licensed under the MIT license (<http://opensource.org/licenses/MIT>), or the Apache License, Version 2.0 (<http://www.apache.org/licenses/LICENSE-2.0>).
 

SECURITY.md

@@ -0,0 +1,72 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+We take security vulnerabilities seriously. If you discover a security vulnerability in Tiles, please report it to us responsibly.
+
+### How to Report
+
+**We encourage you to use GitHub's Security Advisory feature** to report vulnerabilities privately:
+
+1. Go to the [Security tab](https://github.com/tilesprivacy/tiles/security) in this repository
+2. Click on **"Report a vulnerability"** or **"Advisories"**
+3. Click **"New draft security advisory"**
+4. Fill out the security advisory form with:
+   - A clear description of the vulnerability
+   - Steps to reproduce the issue
+   - Potential impact and severity assessment
+   - Any suggested fixes or mitigations
+
+Alternatively, you can report vulnerabilities by emailing [**security@tiles.run**](mailto:security@tiles.run) with:
+- A detailed description of the vulnerability
+- Steps to reproduce the issue
+- Potential impact assessment
+- Your contact information
+
+### What to Include
+
+When reporting a vulnerability, please provide:
+
+- **Description**: A clear description of the security issue
+- **Steps to Reproduce**: Detailed steps to reproduce the vulnerability
+- **Impact**: The potential impact if this vulnerability is exploited
+- **Severity**: Your assessment of the severity (Critical, High, Medium, Low)
+- **Affected Versions**: Which versions of Tiles are affected
+- **Suggested Fix**: If you have ideas for how to fix the issue (optional but appreciated)
+
+### Response Timeline
+
+We aim to:
+
+- **Acknowledge** your report within 48 hours
+- **Triage** the vulnerability within 7 days
+- **Provide updates** on our progress regularly
+- **Resolve** critical vulnerabilities as quickly as possible
+
+### Disclosure Policy
+
+- We will work with you to coordinate public disclosure after the vulnerability has been addressed
+- We will credit you in our security advisories (unless you prefer to remain anonymous)
+- We will not disclose your report publicly until a fix is available
+
+### Security Best Practices
+
+When testing for vulnerabilities:
+
+- **Do not** access or modify user data without permission
+- **Do not** perform any actions that could harm users or their systems
+- **Do not** violate any laws or breach any agreements
+- **Do** act in good faith and follow responsible disclosure practices
+
+## Security Updates
+
+Security updates will be released as soon as possible after a vulnerability is confirmed and fixed. We recommend:
+
+- Keeping Tiles updated to the latest version
+- Subscribing to the [Tiles blog](https://tiles.run/blog) for important security updates
+
+## Questions?
+
+If you have questions about this security policy, please contact us at [**security@tiles.run**](mailto:security@tiles.run).
+
+Thank you for helping keep Tiles secure!