docs: add SECURITY.md with vulnerability reporting policy

[RehanAhmad25]

Summary

This PR adds a SECURITY.md file to the repository root. MergeShip currently has no defined security policy, leaving contributors and users with no safe, private channel to report vulnerabilities. This change establishes a responsible disclosure process following GitHub's recommended best practices.

Type of Change

• Bug fix
• New feature
• UI / UX improvement
• Refactor
• Documentation
• Other

Related Issue

Closes #254

What was changed?

• Added SECURITY.md at the root of the repository
• Added explicit contact details with maintainer profile link
• Added vulnerability reporting via GitHub Private Security Advisory
• Included expected response timeline for reported vulnerabilities
• Outlined responsible disclosure policy with 30-day embargo period
• Added OWASP external reference link

Screenshots

Not applicable — documentation-only change with no visual impact.

Checklist

• My code follows the project structure and conventions
• I tested this locally (npm run dev)
• No hardcoded secrets or credentials
• I have updated documentation if needed

[vercel]

@RehanAhmad25 is attempting to deploy a commit to the codersogs-3057's projects Team on Vercel.

A member of the Team first needs to authorize it.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mergeship	Ready	Preview, Comment	Jun 5, 2026 5:04pm

[Ayush-Patel-56]

CI failing, can you please check

[RehanAhmad25]

Hey @Ayush-Patel-56 ! Just pushed a fix for the Prettier formatting issue on SECURITY.md — that CI check should now pass. ✅

For the second failure (actions/github-script 403), that one isn't caused by my changes. It's a permission issue on fork PRs — the workflow job is missing permissions: pull-requests: write, so the GITHUB_TOKEN can't post comments. The maintainer would need to add that to the workflow YAML to fix it. Happy to help if needed!

And , Could you kindly add the required GSSoC labels to merged PR #259 and ensure the contribution is properly tracked?

Thank you! 🙌

[Soumya-codr]

And , Could you kindly add the required GSSoC labels to merged PR #259 and ensure the contribution is properly tracked?

Quick question, please give me an honest reply: Are you using AI for any part of this contribution, like for phrasing the text or anything else?

Thanks!

[RehanAhmad25]

Hi @Soumya-codr,

For the PR itself, absolutely not. The contribution, analysis, and changes were done by me.

For the CI/CD check, since it was my first time dealing with that kind of error, I used ChatGPT to understand what the failure meant. The prompt I used was:

"Can you explain what CI/CD errors are in GitHub? What is a 'Run actions/github-script' error?"

I used it only to learn about the error and understand the workflow logs. The diagnosis, investigation, and fixes I worked on were done by me afterward.

Hope that clarifies things. Thanks for asking!

[Soumya-codr]

Hi @Soumya-codr,

For the PR itself, absolutely not. The contribution, analysis, and changes were done by me.

For the CI/CD check, since it was my first time dealing with that kind of error, I used ChatGPT to understand what the failure meant. The prompt I used was:

"Can you explain what CI/CD errors are in GitHub? What is a 'Run actions/github-script' error?"

I used it only to learn about the error and understand the workflow logs. The diagnosis, investigation, and fixes I worked on were done by me afterward.

Hope that clarifies things. Thanks for asking!

Ok appreciate the honesty I have requested to review the PR to @Ayush-Patel-56 after he will review your PR will get merged

Thanks

[Ayush-Patel-56]

Appreciate your honesty @RehanAhmad25. There's no worries if you are using AI as far as it adds some values to the project.

But try to avoid using m-dash (--) long dashing as it clearly shows AI PR. Here it's acceptable but in GSoC or LFX it may gonna rejected

[RehanAhmad25]

Thank you for the clarification and feedback, @Soumya-codr and @Ayush-Patel-56 .

I appreciate the advice. I'll keep that in mind and be more careful with my writing style going forward. My intention is always to ensure clear communication and contribute meaningful work to the project.

Thanks again for the guidance and for taking the time to review the contribution. 🙌

[RehanAhmad25]

And , Please consider the label issue on PR #259 .

[Ayush-Patel-56]

Cheers! Thanks

[Soumya-codr]

LGTM Thanks