chore(community): add SECURITY.md

Documents the private reporting channel (GitHub Security Advisories with
support@kaelio.com as fallback), what reporters should include, and the
supported-version policy.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

SECURITY.md

@@ -0,0 +1,31 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+If you believe you've found a security vulnerability in KTX, please report it
+**privately** through GitHub Security Advisories:
+
+[Report a vulnerability](https://github.com/Kaelio/ktx/security/advisories/new)
+
+If you cannot use GitHub Security Advisories, email `support@kaelio.com`
+instead. Please do **not** open a public issue, post in the KTX Slack, or
+share details elsewhere until we have published a fix.
+
+When reporting, please include:
+
+- A description of the issue and its impact
+- Steps to reproduce
+- The KTX version affected
+
+## What to expect
+
+- We will acknowledge your report within a few business days.
+- We will work with you to verify the issue and develop a fix.
+- We will credit you in the resulting advisory unless you prefer to remain
+  anonymous.
+
+## Supported versions
+
+We provide security fixes for the latest released version of
+[`@kaelio/ktx`](https://www.npmjs.com/package/@kaelio/ktx). Older versions
+may receive fixes at the maintainers' discretion.