Create SECURITY.md

Author: albertuszerk

SECURITY.md

@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+We generally support the **latest release** of the single-file app (`index-Release-x.y.z-YYYYMMDD.htm`). Please update to the newest release before filing a report.
+
+## Reporting a Vulnerability
+- Use **GitHub private reporting**: repo → **Security → Report a vulnerability** (creates a private advisory).
+- Include reproduction steps, affected browsers/OS, and the exact app filename tested.
+
+We aim to acknowledge within **3–5 business days** and propose a remediation plan shortly after.
+
+## Scope
+Client-side single-file app: browser permissions, microphone handling, local memory/cache.
+
+## Out of Scope
+- Third-party browser bugs (report to browser vendors)
+- Issues requiring privileged/local system access without user interaction