Add SECURITY.md with security policy

SECURITY.md

@@ -0,0 +1,56 @@
+# Security Policy
+
+## Supported Versions
+
+| Version     | Supported          |
+| ----------- | ------------------ |
+| `main` / `v1.0.x` | ✅ |
+| `v0.9.x`    | ✅ |
+| `< v0.9`    | ❌ |
+
+> We actively provide security updates for the current release and the most recent prior minor release. Older versions are not supported for security fixes.
+
+## Reporting a Vulnerability
+
+If you discover a security issue in StudyMatePlus, please report it privately so we can fix it before public disclosure.
+
+Preferred reporting options:
+- Use GitHub Security Advisory for this repository
+- If email is available, contact the maintainers directly
+- If no private channel exists, open a private issue
+
+### What to include
+- A clear summary of the issue
+- Affected version(s)
+- Steps to reproduce
+- Expected vs actual behavior
+- Proof of concept or sample code
+- Any relevant screenshots or logs
+
+## Response Process
+
+- Acknowledgement: within 2 business days
+- Initial assessment: within 5 business days
+- Ongoing updates: at least weekly until resolved
+- Disclosure: we will coordinate with the reporter before making any public disclosure
+
+## What We Will Do
+
+- Validate and triage the report
+- Assign severity and impact
+- Fix the issue in supported versions
+- Publish a security advisory or release note once fixed
+
+## Safe Harbor
+
+If you report a vulnerability in good faith, we will not take legal action against you, provided you:
+- do not exploit the issue
+- do not share details publicly before a fix is available
+- cooperate with the disclosure process
+
+## Not Covered
+
+This policy does not cover:
+- general feature requests
+- usability issues
+- support questions