[Security] Suggest enabling private vulnerability reporting / adding SECURITY.md

[eddieran]

Hi maintainers,

MaxKey's Security tab currently shows GitHub's "Suggest a security policy" prompt — there's no SECURITY.md and Private Vulnerability Reporting (PVR) is disabled.

I checked the API:

GET /repos/dromara/MaxKey/private-vulnerability-reporting
=> {"enabled": false}

For an IAM/SSO product specifically, having a structured private-disclosure channel is especially important — researchers find protocol-level issues (SAML/OAuth2/OIDC) more often in IAM products, and posting those in a public issue gives attackers a head-start before a fix lands.

Two options I'd love your help with:

• Option A (preferred): Enable Private Vulnerability Reporting via Settings → Code security → Private vulnerability reporting → Enable. Free for public repos, hides triage discussion from the public, and gives researchers a structured GHSA channel.
• Option B: Confirm a preferred private channel (email or otherwise) and I can route there.

I've also opened a companion PR adding a draft SECURITY.md based on the standard GitHub template, with sections tailored for an IAM/SSO project (in-scope list highlights SAML/OAuth2/OIDC/CAS protocol flaws, JWT issues, password-reset/MFA bypass, etc.). It's purely the "Suggest a security policy" suggestion — feel free to edit anything in it; the important thing is that a private reporting channel exists.

Thanks for considering!

— Eddie Ran