chore: create SECURITY.md (#1841)

SECURITY.md

@@ -0,0 +1,40 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+### Types of Security Issues
+We actively monitor:  
+- Code vulnerabilities (RCE, XSS, authentication bypass)  
+- Dependency risks (critical vulnerabilities in project dependencies, such as requirements.txt, pyproject.toml, or equivalent files)  
+- Configuration flaws (insecure defaults in deployment scripts)  
+
+### Disclosure Channels (Choose one):
+
+1. **Encrypted Email**  
+   Contact: `[email protected]`  
+   *Subject format: `[SECURITY] ModuleName - Brief Description`*
+
+2. **GitHub Private Report**  
+   Use GitHub's ["Report a vulnerability"](https://github.com/Megvii-BaseDetection/YOLOX/security/advisories) feature  
+
+3. **Reporting Security Issues**  
+   Please report security issues using Create new issue: https://github.com/Megvii-BaseDetection/YOLOX/issues/new
+
+
+## Response Process  
+1. **Acknowledgement**  
+   - Initial response within **48 business hours**  
+2. **Assessment**  
+   - Triage using CVSS v3.1 scoring  
+3. **Remediation**  
+   - Critical (CVSS ≥9.0): Patch within **7 days**  
+   - High (CVSS 7-8.9): Patch within **30 days**  
+4. **Public Disclosure**  
+   - Published via [GitHub Advisories](https://github.com/Megvii-BaseDetection/YOLOX/security/advisories)  
+   - CVE assignment coordinated with [MITRE](https://cveform.mitre.org)
+  
+## Secure Development Practices  
+- Always verify hashes when downloading dependencies:  
+  ```bash
+  sha256sum -c <your-dependency-hash-file>
+  ```