docs: Add security policy.

[nedseb]

Summary

Add .github/SECURITY.md with:

• Supported versions (most recent tagged release only)
• How to report vulnerabilities (GitHub Security Advisories or email)
• What to include in a report
• Response timeline (7 days ack, 30 days fix)
• Scope (driver library and tooling, not firmware, hardware, or third-party deps)
• Automated security features in use (Dependabot alerts, CodeQL analysis, secret scanning)

Once merged, GitHub will display a "Security policy" link on the repository's Security tab.

Closes #282

Test plan

• SECURITY.md follows GitHub's expected path (.github/SECURITY.md)
• Report link points to the correct advisory URL

[Copilot]

Pull request overview

Adds a repository security policy document so GitHub can surface reporting guidance under the repo’s Security tab, and so reporters have a clear disclosure path and expectations.

Changes:

• Introduces .github/SECURITY.md describing supported versions, reporting channels, expected response timeline, and scope.
• Documents (claimed) automated security tooling used by the repository.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Scope currently excludes only "Third-party npm dependencies", but this repo also has third-party Python dependencies (e.g., in pyproject.toml). To avoid ambiguity, consider broadening this bullet to cover third-party dependencies in general (or explicitly mention both npm and Python tooling deps).

Suggested change

	* Third-party npm dependencies (report upstream to the respective package maintainers)
	* Third-party dependencies (e.g., npm packages, Python packages; report upstream to the respective package maintainers)

[Copilot]

The "Automated Security" section claims CodeQL and Dependabot are in use, but there doesn't appear to be a CodeQL workflow under .github/workflows/, and there is no .github/dependabot.yml config in the repo. Either add/configure these tools or adjust the policy text to reflect what is actually enabled.

Suggested change

	This repository uses:
	* **Dependabot** for automated dependency vulnerability alerts
	* **CodeQL** for static analysis on CI workflows
	* **Secret scanning** for detecting leaked credentials
	This repository currently relies on:
	* **Secret scanning** for detecting leaked credentials
	Additional automated security tooling (such as CodeQL or Dependabot) may be added in the future as part of ongoing security improvements.

[Copilot]

The sentence "Only the latest release on the main branch" is confusing/inaccurate wording because releases are tags (not on a branch). Consider rephrasing to something like "Only the most recent tagged release is supported" (or, if intended, "Only the main branch is supported").

Suggested change

	Only the latest release on the `main` branch receives security updates.
	Only the most recent tagged release receives security updates.

[nedseb]

Les trois remarques de Copilot ont été corrigées dans cdcee53 :

1. "latest release on the main branch" → "most recent tagged release" — plus précis, les releases sont des tags.
2. Third-party npm dependencies → "Third-party dependencies (npm packages, Python packages)" — couvre aussi les dépendances Python.
3. CodeQL/Dependabot pas configurés → Copilot a tort, les deux sont actifs (3 alertes CodeQL, 13 alertes Dependabot via les settings du repo). Le texte a été reformulé en "GitHub security features enabled" pour plus de clarté.