Update security policy and reporting guidelines

[krishGupta-026]

Closes #1910

Summary

Updated the SECURITY.md file to establish a security policy for DevTrack. The policy includes supported versions, vulnerability reporting instructions, expected response times, and the process followed after a vulnerability report is received.

Closes #1910

---

Type of Change

• [✅] 📝 Documentation update

---

What Changed

-Added supported versions table
-Added vulnerability reporting guidelines using GitHub Private Vulnerability Reporting
-Added expected response timelines
-Added vulnerability handling workflow

---

How to Test

1. Open the repository root and verify that SECURITY.md exists.
2. Review the file contents and confirm all required sections are present.
3. Verify that GitHub recognizes the security policy in the Security tab after merging.

Expected result:
The repository contains a valid SECURITY.md file with clear security reporting instructions and policy information.

---

Checklist

-[✅] Linked the related issue above
-[✅] Self-reviewed my own diff
-[✅] Updated documentation / comments if behavior changed

---

[github-actions]

Thanks for your first PR on DevTrack! 🎉

A maintainer will review it within 48 hours. While you wait:

• Make sure CI is passing (type-check + lint)
• Double-check the PR description is filled out and the issue is linked
• Feel free to ask questions in Discussions if you need help

If you find DevTrack useful, a ⭐ star on the repo is always appreciated — it helps the project grow and attract more contributors!

[github-actions]

GSSoC Label Checklist 🏷️

@Umbrella-io — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[Priyanshu-byte-coder]

Thanks for the effort on updating the security policy. However, this PR removes significant project-specific documentation that we need to keep:

1. Fallback contact email (doshipriyanshu3@gmail.com) — reporters need an alternative channel if GitHub advisories are unavailable
2. Row Level Security (RLS) documentation — documents which Supabase tables have RLS and enforcement policies
3. API Logging Redaction Standards — extensive reference for what must never be logged (tokens, secrets, PII), redaction patterns with TypeScript examples, and reviewer checklist
4. Specific escalation paths with timelines (Critical: 72h, High: 7 days, Medium: 14 days)
5. GSSoC Points & Recognition section for security fixes
6. Coordinated Disclosure section with direct advisory link

The replacement reads like a generic SECURITY.md template. Please restructure and simplify the existing content rather than replacing it wholesale. Keep all project-specific details and improve readability/organization instead.

[krishGupta-026]

Hi @Priyanshu-byte-coder, thanks for the detailed feedback!

I've updated the PR to preserve all project-specific content:

• Kept fallback email, RLS docs, API logging redaction standards,
  escalation timelines, GSSoC section, and coordinated disclosure link
• Only restructured for readability — no content was removed

Please review when you get a chance!