Add SECURITY.md

[jameslamb]

Description

Contributes to rapidsai/build-planning#281

• adds a SECURITY.md describing how to report security vulnerabilities

Notes for Reviewers

Why not just set this org-wide?

An org-wide default is set at https://github.com/rapidsai/.github/blob/main/SECURITY.md, but adding an actual file in each repo offers a few benefits:

• ensures security policy travels with the repo to forks, clones, mirrors, etc.
• allows per-repo governance over the security policy (via PR review, CODEOWNERS, etc.)

This can be admin-merged

I'll stop CI intentionally after pre-commit runs, to save CI time and resources.

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Documentation
  • Added comprehensive security vulnerability reporting guidelines including multiple secure reporting channels (web form, encrypted email with PGP guidance, and GitHub private reporting), disclosure policies, acknowledgment procedures, and specifications for required report information including reproducible exploit steps and affected versions.

Walkthrough

This PR establishes a security vulnerability disclosure policy by introducing a SECURITY.md file documenting multiple reporting channels (NVIDIA PSIRT and GitHub), designating ops team ownership, and configuring the CI workflow to exclude the policy file from triggering unnecessary test jobs.

Changes

Security Policy Setup

Layer / File(s)	Summary
Security vulnerability reporting guide SECURITY.md	Adds security disclosure documentation with NVIDIA PSIRT (web form and email with PGP) and GitHub private reporting paths, required report details, and a coordinated disclosure policy.
Code ownership and CI workflow configuration .github/CODEOWNERS, .github/workflows/pr.yaml	Assigns SECURITY.md to @rapidsai/ops-codeowners and excludes it from triggering build docs, C++ tests, and Python test jobs (conda and wheels).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested labels

doc

Suggested reviewers

• gforsyth
• hcho3
• csadorf

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add SECURITY.md' directly and accurately describes the main change in the pull request, which is the addition of a new SECURITY.md file.
Description check	✅ Passed	The description is clearly related to the changeset, explaining the purpose of adding SECURITY.md, referencing the related issue, and providing context for design decisions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@SECURITY.md`:
- Around line 20-21: The wording in SECURITY.md is inaccurate: replace the
phrase "Security and quality" with GitHub's correct UI term "Private
Vulnerability Reporting" and update the access instructions to state that
reporters reach it from the repository "Advisories" page using the "Report a
vulnerability" button so the document references the exact GitHub labels and
navigation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cbd2b781-62e9-44fe-9911-901c5d3e3263

📥 Commits

Reviewing files that changed from the base of the PR and between a9defae and 90de60b.

📒 Files selected for processing (3)

• .github/CODEOWNERS
• .github/workflows/pr.yaml
• SECURITY.md