docs: add security policy

SECURITY.md

@@ -0,0 +1,88 @@
+# Security Policy
+
+## Supported Versions
+
+reeln-plugin-cloudflare is pre-1.0 software. Security fixes are
+published against the latest release only. We recommend always running
+the most recent version from
+[PyPI](https://pypi.org/project/reeln-plugin-cloudflare/) or the
+[Releases page](https://github.com/StreamnDad/reeln-plugin-cloudflare/releases).
+
+| Version | Supported          |
+| ------- | ------------------ |
+| latest release | :white_check_mark: |
+| older   | :x:                |
+
+## Scope
+
+reeln-plugin-cloudflare is a reeln-cli plugin that uploads video clips
+and highlight files to Cloudflare R2 storage via the S3-compatible API.
+It runs inside `reeln-cli` on a livestreamer's local machine and makes
+outbound HTTPS requests to Cloudflare using R2 access keys stored on
+disk.
+
+In-scope concerns include, but are not limited to:
+- Leakage of R2 access key IDs, secret access keys, or account IDs via
+  logs, error messages, cached responses, or saved state
+- Insecure file permissions on the on-disk credential store
+- Unsafe handling of presigned URLs — accidental logging, overly long
+  expirations, or granting broader permissions than intended
+- Path traversal in R2 object keys derived from user-supplied game
+  metadata (team names, clip titles, roster strings)
+- Unsafe deserialization of R2/S3 API responses or cached manifests
+- Command injection or path traversal in upload staging directories or
+  local artifact paths
+- Dependency confusion or typosquatting on the PyPI package name
+
+Out of scope:
+- Vulnerabilities in Cloudflare R2 itself or in the upstream `boto3` /
+  `botocore` S3 client — report those to the respective upstream
+- Vulnerabilities in reeln-cli or other reeln plugins — report those to
+  the respective repository
+- Issues that require an attacker to already have local code execution
+  on the user's machine or access to the stored R2 credentials
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub
+issues, discussions, or pull requests.**
+
+Report vulnerabilities using GitHub's private vulnerability reporting:
+
+1. Go to the [Security tab](https://github.com/StreamnDad/reeln-plugin-cloudflare/security)
+   of this repository
+2. Click **"Report a vulnerability"**
+3. Fill in as much detail as you can: affected version, reproduction steps,
+   impact, and any suggested mitigation
+
+If you cannot use GitHub's reporting, email **git-security@email.remitz.us**
+instead.
+
+### What to include
+
+A good report contains:
+- The version of reeln-plugin-cloudflare, reeln-cli, and Python you
+  tested against
+- Your operating system and architecture (macOS / Windows / Linux, arch)
+- Steps to reproduce the issue
+- What you expected to happen vs. what actually happened
+- The potential impact (credential leakage, unauthorized bucket access,
+  presigned URL abuse, data loss, etc.)
+- Any proof-of-concept code, if applicable
+
+### What to expect
+
+This plugin is maintained by a small team, so all timelines below are
+best-effort rather than hard guarantees:
+
+- **Acknowledgement:** typically within a week of your report
+- **Initial assessment:** usually within two to three weeks, including
+  whether we consider the report in scope and our planned next steps
+- **Status updates:** roughly every few weeks until the issue is resolved
+- **Fix & disclosure:** coordinated with you. We aim to ship a patch
+  release reasonably quickly for high-severity issues, with lower-severity
+  issues addressed in a future release. Credit will be given in the
+  release notes and CHANGELOG unless you prefer to remain anonymous.
+
+If a report is declined, we will explain why. You are welcome to disagree
+and provide additional context.