security: publish community vulnerability disclosure and triage policy

[TheNewAutonomy]

Parent epic: #262

Define the pre-launch security disclosure and triage workflow for a no-budget, community-review launch model.

Why

Catalyst plans to launch without paid external audit/pen-test services. We need a clear, operator-facing and contributor-facing process for responsible disclosure and deterministic remediation handling.

Deliverables

• Security contact channel and intake path (private reporting preferred)
• Report template (impact, reproduction, versions, environment)
• Severity mapping (Critical/High/Medium/Low)
• Triage policy (owners, escalation, acceptance criteria)
• Response SLA targets (first response + update cadence)
• Coordinated disclosure guidance and acknowledgement policy
• Linkage to remediation evidence expectations in security: define security review scope and remediation checklist #273 and security: implement adversarial test plan (DoS/eclipse/sybil/partition) with evidence #272

Definition of done

• Policy documented in docs/ and linked from docs/README.md
• Workflow references existing mainnet security gates (#272, #273, #280)
• Tracker issue mainnet: launch readiness program tracker #260 updated to include this requirement in launch criteria