Create security.md

[diegokingston]

No description provided.

[github-actions]

Codex Code Review

Found one issue:

• Low - security.md may not be recognized as the GitHub security policy file
  security.md is added in lowercase, but GitHub’s convention for repository security policies is SECURITY.md. If GitHub does not detect this file, the policy may not appear in the repository’s Security tab/community health surfaces, which undermines the reporting instructions added by this PR. Rename it to SECURITY.md.

No code security, VM, Rust, crypto, or performance issues are introduced by this diff; it only adds documentation.

[claude]

Review

This is a documentation-only PR — no code changes, no security or correctness concerns.

One actionable issue: file name casing

GitHub specifically recognizes SECURITY.md (all caps) in the repo root or .github/ directory. With the current security.md (lowercase) name, GitHub will not auto-discover the file and won't surface it in the repository's Security tab or link it from the "Report a vulnerability" button — which is the primary purpose of the document.

Recommendation: Rename to SECURITY.md or place at .github/SECURITY.md.

Reference: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository

---

Minor nits (not blocking):

• The "Our Response Process" section has no time-bound SLA (e.g., "acknowledge within 48 hours"). Reporters won't know if their submission was received.
• The reward section mentions recognition in "our changelog or release notes" — worth confirming that venue actually exists and is maintained.