docs: add security disclosure policy

[artylobos]

Summary

• add a root SECURITY.md with supported-version guidance, private reporting instructions, response timeline, scope, and reward policy
• link the policy from README.md so researchers have a canonical disclosure path

Validation

• git diff --check -- SECURITY.md README.md
• local content check for issue [Docs] Add SECURITY.md disclosure policy and link from README #908 acceptance criteria

Closes #908

[artylobos]

CI note: the remaining red check is frontend, and the GitHub Actions log shows it fails before touching this docs change because repository-wide prettier --check . reports existing formatting warnings in:

• frontend/e2e/borrower-repay-flow.spec.ts
• frontend/e2e/lender-withdraw-flow.spec.ts

This PR only changes SECURITY.md and README.md. The other checks (CodeQL, contracts, backend, and supply-chain-audit) are green. I avoided adding unrelated e2e formatting changes to keep the security-policy PR scoped to #908.

[artylobos]

Follow-up: I formatted the two e2e files that were causing the frontend job to fail on prettier --check .. The latest check set is now green, and PR status is CLEAN.

The only changes in the follow-up commit are formatting updates to:

• frontend/e2e/borrower-repay-flow.spec.ts
• frontend/e2e/lender-withdraw-flow.spec.ts