Add a Security policy file

[mprpic]

Pull Request Description

What

This was identified as missing when assessing the fromager repository with OpenSSF's scorecard. See #1008.

Why

A security policy file tells potential contributors how to privately disclose vulnerabilities. GitHub offers a native "report a vulnerability" button (maybe this needs to be configured at the repo level by admins?). If using GitHub is not desired, we could set up a mailing list or point people to Red Hat Product Security (secalert@redhat.com) since this projects is largely maintained by Red Hatters right now.

• PR follows CONTRIBUTING.md guidelines

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4a50dd4f-e461-484d-99f9-8ca8886c7a25

📥 Commits

Reviewing files that changed from the base of the PR and between 3d7912b and 6fd4efe.

📒 Files selected for processing (1)

• SECURITY.md

✅ Files skipped from review due to trivial changes (1)

• SECURITY.md

---

📝 Walkthrough

Walkthrough

A new SECURITY.md was added defining the project's security policy. It states security updates are provided only for the latest release, requires vulnerability reports via GitHub’s private "Security and quality" reporting (explicitly forbids public issues), requests a vulnerability description and, when possible, a short reproducer, a proposed severity rating, and optional classification metadata (e.g., CWE IDs or CVSS), and asks reporters to follow coordinated disclosure with a reasonable remediation timeframe.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a SECURITY.md security policy file to the repository.
Description check	✅ Passed	The description is directly related to the changeset, explaining why the security policy was needed (OpenSSF scorecard assessment) and what it addresses (vulnerability disclosure guidance).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[LalatenduMohanty]

@Mergifyio queue

[mergify]

queue

⚠️ Configuration not compatible with a branch protection setting

Details

The branch protection setting Require branches to be up to date before merging is not compatible with draft PR checks. To keep this branch protection enabled, update your Mergify configuration to enable in-place checks: set merge_queue.max_parallel_checks: 1, set every queue rule batch_size: 1, and avoid two-step CI (make merge_conditions identical to queue_conditions). Otherwise, disable this branch protection.

[LalatenduMohanty]

@Mergifyio rebase

[mergify]

rebase

✅ Branch has been successfully rebased