docs: add SECURITY.md vulnerability disclosure policy

[BlackHole1]

Add a SECURITY.md security policy at the repo root so GitHub surfaces it in the
Security tab and the "Report a vulnerability" entry point.

Contents

• Supported versions — only the latest release; the app self-updates via
  Sparkle, so there are no back-ported patch branches.
• Private reporting channels — GitHub Security Advisories (preferred) and
  email (bh@bugs.cc), with a "don't open a public issue" note.
• Response expectations — 3-day acknowledgement, 7-day triage, coordinated
  disclosure, credit in release notes.
• Scope notes tailored to LockIME — Accessibility / Input Monitoring
  permissions (no keystroke-content logging), the lockime:// URL scheme,
  Sparkle EdDSA-signed updates, and .lockime config/backup import.

English-only, consistent with the other community-health / docs/ files
(DESIGN.md, RELEASING.md); it is not part of the README translation set.

All referenced paths (docs/URL-Scheme-API/, the About surface) were verified
to exist.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 00407f8e-abee-4637-bec8-ecca6efc6788

📥 Commits

Reviewing files that changed from the base of the PR and between 781f239 and 5649642.

📒 Files selected for processing (1)

• SECURITY.md

---

Summary by CodeRabbit

• Documentation
  • Added a security policy document with supported version details.
  • Included guidance for reporting vulnerabilities, expected response times, and coordinated disclosure.
  • Clarified the security scope for key areas such as input monitoring behavior, the custom URL scheme, update integrity, and local configuration imports.

Walkthrough

Added a new SECURITY.md file that defines LockIME’s security policy. It states that security fixes are only shipped in the latest release, lists supported-version status, describes how to report vulnerabilities, specifies what to include in a report, outlines response and disclosure expectations, and defines the security scope.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is descriptive and matches the added SECURITY.md policy, and it follows a valid conventional-commit style.
Description check	✅ Passed	The description directly explains the SECURITY.md policy addition and its scope.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch docs/security-policy

---

_{Comment @coderabbitai help to get the list of available commands.}