Create SECURITY.md for security policy

[leangheng20042004-blip]

Added a security policy document outlining supported versions and vulnerability reporting.

Description

Type of change

• Bug fix
• New feature
• Protocol integration
• Documentation update
• Other (please describe):

Screenshots

Testing

Related Issues

Checklist

• My code follows the project's style guidelines
• I have added tests that prove my fix/feature works
• All tests pass locally and in CI
• I have updated documentation as needed
• I have run build:info script to update build information
• CI/CD checks pass
• I have included screenshots for protocol screens (if applicable)
• For security-related features, I have included links to related information

Additional Notes

[vercel]

@leangheng20042004-blip is attempting to deploy a commit to the Solana Foundation Team on Vercel.

A member of the Team first needs to authorize it.

[greptile-apps]

Greptile Summary

This PR adds a SECURITY.md file to document the project's security policy, but the file is the unmodified GitHub template and is not ready to publish.

• The supported-versions table lists fictional version numbers (5.1.x, 5.0.x, 4.0.x) instead of the project's actual version (0.1.0).
• The "Reporting a Vulnerability" section is entirely placeholder prose — there is no real contact address, response timeline, or disclosure process for researchers to follow.

Confidence Score: 4/5

Not safe to merge — the SECURITY.md is an unfilled template that provides no real security guidance or reporting channel.

Two P1 findings: the version table contains fictional version numbers inconsistent with the project, and the vulnerability-reporting section is entirely placeholder text with no actionable contact information. Both must be filled in before this file is useful or accurate.

SECURITY.md requires both the supported-versions table and the reporting-instructions section to be replaced with real, project-specific content.

Important Files Changed

Filename	Overview
SECURITY.md	Adds a SECURITY.md policy file, but the content is the unmodified GitHub template — version numbers don't match the project and the vulnerability-reporting section is all placeholder text with no real contact info.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Security Researcher finds vulnerability] --> B{Consult SECURITY.md}
    B --> C[Check supported versions table]
    B --> D[Find reporting contact / process]
    C --> E[❌ Template versions only — no real data]
    D --> F[❌ Placeholder text only — no contact info]
    E --> G[Researcher cannot determine if version is patched]
    F --> H[Researcher has no way to report responsibly]

Loading

_{Reviews (1): Last reviewed commit: "Create SECURITY.md for security policy" | Re-trigger Greptile}

[greptile-apps]

Template version numbers not replaced

The version table still contains the GitHub SECURITY.md template defaults (5.1.x, 5.0.x, 4.0.x). The project's actual version from package.json is 0.1.0, so these rows are misleading and tell security researchers nothing about which release lines are actually patched. The table should be updated to reflect the real supported versions of this project.

[greptile-apps]

Reporting instructions are unfilled placeholder text

The "Reporting a Vulnerability" section contains only the GitHub template boilerplate ("Use this section…", "Tell them where to go…") — there is no actual contact address, process, or response timeline. The PR description itself references disclosures@solana.org for Solana Verify security bugs, which suggests at least one valid contact point already exists. Without real content here, this document gives security researchers no actionable way to disclose vulnerabilities.

[rogaldh]

Not sure how this should work

[rogaldh]

@Woody4618 wdyt?