Add security policy with reporting guidelines

SECURITY.md

@@ -0,0 +1,40 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+The preferred channel for reporting security vulnerabilities is our bug bounty program on Immunefi:
+
+https://immunefi.com/bug-bounty/spark-lightspark/
+
+If you are unable to use Immunefi for any reason, you may report vulnerabilities privately using GitHub Private Vulnerability Reporting (available under the Security tab of this repository), or by emailing the maintainers directly.
+
+Please include, whenever possible:
+
+- A clear description of the issue
+- Affected components and commit hashes
+- Step-by-step reproduction instructions
+- Proof-of-concept code or test cases
+- Impact assessment and suggested severity
+- Proposed mitigations or patches (optional)
+
+## Reward Eligibility
+
+Valid security findings submitted through GitHub Private Vulnerability Reporting or via email will be evaluated under the same criteria and reward tiers as our Immunefi bug bounty program, provided they meet the same scope, impact, and disclosure requirements.
+
+Researchers who are unable to use Immunefi will not be disadvantaged solely because they used an alternative private reporting channel.
+
+## Coordinated Disclosure
+
+Please do not publicly disclose vulnerabilities until the issue has been resolved and we have agreed on a disclosure timeline.
+
+We will acknowledge receipt of your report as soon as possible and aim to keep you informed throughout the remediation process.
+
+## Safe Harbor
+
+We support responsible security research conducted in good faith and will not pursue legal action against researchers who:
+
+- Avoid violating privacy or disrupting service availability
+- Do not access or modify user funds or data beyond what is necessary to demonstrate the issue
+- Give us a reasonable opportunity to remediate the issue before public disclosure
+
+Thank you for helping us keep Spark secure.