docs: add SECURITY.md — Phase 1 disclosure policy

[abhicris]

Summary

Add SECURITY.md to the repo root setting explicit disclosure expectations for the pre-audit Phase 1 period. No code changes.

What's in scope

• Supported-versions table (testnet vs mainnet, audited vs not)
• Reporting channel (security@kcolbchain.com) + PGP key reference
• Bug-bounty posture: not yet active; signposted for Phase 2 once a real value-at-risk surface exists
• Out-of-scope items: third-party libs, infra not run by Create Protocol, denial-of-service against testnet RPC
• Response-timeline commitment (acknowledge in 72h, triage in 7 days)

Why

External researchers asking about disclosure now get a clear policy file instead of having to read README + commit history. Signals that the project takes security seriously even pre-audit, which matters for the Phase 1 → Phase 2 audit prep.

What's NOT in scope

• No bug bounty payout structure (deferred to Phase 2)
• No threat model document (separate docs/security/THREAT_MODEL.md PR will follow)
• No formal disclosure timeline (90-day or otherwise) — left flexible for Phase 1

Pairs with the three already-merged spec PRs (#18, #19, #20) as part of the repo-quality sweep.