[Docs] Add SECURITY.md disclosure policy and link from README

[ogazboiz]

Join the contributor Telegram: https://t.me/+DOylgFv1jyJlNzM0

Why this matters

There is no SECURITY.md, so researchers reporting a vulnerability have no canonical address, no disclosure window, and no scope statement. GitHub flags this as a security policy gap, and Stellar/Soroban projects without one face higher friction with bounty programs. A short, honest SECURITY.md is mostly boilerplate but signals seriousness.

Acceptance criteria

• Add SECURITY.md at the repo root with:
  • Supported versions (current main + last tag).
  • Contact email / encrypted contact (e.g. via the Telegram link as a fallback only).
  • 90-day disclosure window and "we'll respond within 5 business days" SLA.
  • Scope (in-scope: contracts/backend/frontend in this repo; out-of-scope: 3rd party services).
  • Reward statement (clarify whether bounties are offered).
• Link it from README.md "Security" section.

Files to touch

• SECURITY.md (new)
• README.md

Out of scope

• Running a paid bounty programme.
• Adding a GPG key right now (mention the option only).

[artylobos]

Submitted PR #911 for this issue: #911

Scope:

• adds root SECURITY.md with supported versions, private reporting, 5-business-day acknowledgement target, 90-day coordinated disclosure window, scope, and reward policy
• links the policy from README.md

Validation:

• git diff --check -- SECURITY.md README.md
• local acceptance-criteria content check passed

[artylobos]

Update: I followed up the PR with a tiny formatting commit for the two e2e files that were causing the repository-wide prettier --check . failure. The latest PR status is now CLEAN with all GitHub checks green.

Current PR: #911

[devpeter999]

@devpeter999 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hii maintainer I will like to jump on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @devpeter999 to this issue.

[drips-wave]

Congratulations, @devpeter999! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @devpeter999: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[davidweb3-ctrl]

I'll implement the SECURITY.md disclosure policy.

Approach:

• Standard security policy template
• Vulnerability disclosure process
• Contact information
• Response timeframes

ETA: 1 hour

Wallet: 0x408f39B19266022FeC03076091e59D1f4f163658