Add organisation-wide security policy and vulnerability reporting

## Problem Statement

The metreeca organisation has no security policy. There is no SECURITY.md, no guidance on how to report vulnerabilities, and private vulnerability reporting is not enabled.

## Proposed Solution

Add a SECURITY.md to the `.github` repository (org-wide default) and enable GitHub private vulnerability reporting across all repositories.

### SECURITY.md should cover

- Supported versions receiving security patches
- How to report vulnerabilities (GitHub private reporting + email fallback)
- Acknowledgement timeline (e.g. within 5 business days)
- Disclosure policy and embargo period
- Safe harbour clause for good-faith researchers

### Additional actions

- Enable private vulnerability reporting org-wide (Settings → Advanced Security)
- Enable Dependabot alerts on active repositories

## References

- [Adding a security policy — GitHub Docs](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository)
- [Configuring private vulnerability reporting — GitHub Docs](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add organisation-wide security policy and vulnerability reporting #12

Problem Statement

Proposed Solution

SECURITY.md should cover

Additional actions

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Add organisation-wide security policy and vulnerability reporting #12

Description

Problem Statement

Proposed Solution

SECURITY.md should cover

Additional actions

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions