docs: add SECURITY.md with coordinated-disclosure contact

CONTRIBUTING.md

@@ -1,5 +1,7 @@
 # Contributing to HackAgent
 
+Please review our [Security Policy](SECURITY.md) before contributing.
+
 First off, thank you for considering contributing to HackAgent! It's people like you that make HackAgent such a great tool. We welcome contributions of all kinds, from bug reports and feature requests to documentation improvements and code contributions.
 
 Following these guidelines helps to communicate that you respect the time of the developers managing and developing this open-source project. In return, they should reciprocate that respect in addressing your issue, assessing changes, and helping you finalize your pull requests.

README.md

@@ -7,7 +7,9 @@
 
 <br>
 
-[App](https://app.hackagent.dev/) -- [Docs](https://docs.hackagent.dev/) -- [API](https://api.hackagent.dev/schema/redoc)
+[![Security Policy](https://img.shields.io/badge/security-policy-blue?logo=github)](SECURITY.md)
+
+<br>
 
 <br>
 

SECURITY.md

@@ -0,0 +1,47 @@
+# Security Policy
+
+## Supported Versions
+
+We actively support the following versions of HackAgent with security updates:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| Latest  | :white_check_mark: |
+| < 2.0   | :x:                |
+
+## Reporting a Vulnerability
+
+We take the security of HackAgent seriously. If you discover a security vulnerability, please report it to us privately.
+
+**Contact:** ais@ai4i.it
+
+**Expected Response SLA:**
+- **Acknowledgement:** Within 48 hours of receiving your report.
+- **Initial Assessment:** Within 7 days with a detailed plan for addressing the issue.
+- **Status Updates:** Every 5 days until the vulnerability is resolved.
+
+## Disclosure Policy
+
+We follow a coordinated disclosure process:
+1. Security report received and acknowledged.
+2. Issue is verified and fixed in a private fork.
+3. Security advisory is published on GitHub.
+4. Patch is released to the main branch.
+5. Public disclosure after fix is available (typically 24-48 hours after patch).
+
+## PGP Key
+
+Currently, we do not provide a PGP key for encrypted communication. Please use the secure contact email above.
+
+## Scope
+
+Vulnerabilities in the following areas are within scope:
+- Authentication and authorization mechanisms
+- Data handling and privacy protections
+- Code injection vulnerabilities
+- Dependency vulnerabilities in `requirements.txt` / `pyproject.toml`
+
+Out of scope:
+- Social engineering attacks
+- Physical security issues
+- DoS attacks against public infrastructure