Create SECURITY.md

SECURITY.md

@@ -0,0 +1,25 @@
+# Security Policy
+
+## Supported Versions
+
+All MAJOR versions of this package will receive security updates for **two years after the next major version is released**. For example, if version 4.0.0 is released, version 3.x will continue receiving security updates for two years from that date.
+
+Versions outside this window are considered end-of-life and will no longer receive updates, even for critical vulnerabilities.
+
+## Reporting a Vulnerability
+
+If you discover a security issue, please report it using GitHub's [**"Report a vulnerability"** feature](../../security/advisories/new) under the **Security** tab of this repository.
+
+When reporting, please include the following information to help us investigate quickly and thoroughly:
+
+- A clear description of the vulnerability and what part of the code it affects.
+- Steps to reproduce the issue, ideally including:
+  - The affected version
+  - A code snippet or minimal test case
+  - The expected vs. actual behavior
+- If applicable, an explanation of potential impact or severity.
+- Any suggested mitigations or patches (optional, but appreciated).
+
+Please do not disclose the vulnerability publicly until we've had a chance to investigate and publish a fix.
+
+We appreciate responsible disclosure and are committed to resolving issues promptly.