add SECURITY.md

Author: StephenHodgson

SECURITY.md

@@ -0,0 +1,43 @@
+# Security Policy
+
+## Supported Versions
+
+Security updates are applied to the latest release on the `main` branch. If you are using an older release, please upgrade to the newest version before reporting issues.
+
+## Reporting a Vulnerability
+
+Please report security issues privately so we can investigate and address them responsibly.
+
+Preferred contact:
+
+- GitHub Security Advisories: [https://github.com/RageAgainstThePixel/unity-cli/security/advisories](https://github.com/RageAgainstThePixel/unity-cli/security/advisories)
+
+If you cannot use GitHub Security Advisories, open a minimal issue and request a private channel; do not include sensitive details in public issues.
+
+When reporting, please include:
+
+- A clear description of the issue and impact
+- Steps to reproduce (proof-of-concept or minimal example)
+- Affected versions, if known
+- Any relevant logs or configuration details (redact secrets)
+
+## Disclosure Process
+
+We follow responsible disclosure practices:
+
+- We will acknowledge receipt of your report within 5 business days
+- We will work on a fix and coordinate a release
+- We will credit reporters who want acknowledgment
+
+## Out of Scope
+
+The following are generally out of scope:
+
+- Issues in outdated or unsupported versions
+- Social engineering or physical attacks
+- Denial of service issues that require unreasonable traffic volumes
+- Vulnerabilities in dependencies without a direct impact on this project
+
+## Security Updates
+
+Security releases will be published through GitHub Releases and, when appropriate, GitHub Security Advisories.