security: setup security policy (#1459)

## 📜 Description

Added `SECURITY.MD` file.

## 💡 Motivation and Context

In the era of AI and upcoming security models from Anthropic/OpenAI I
think it's important to define security policy for this repo. We'll
prompt to report vulnerability first before public disclosure.

## 📢 Changelog

<!-- High level overview of important changes -->
<!-- For example: fixed status bar manipulation; added new types
declarations; -->
<!-- If your changes don't affect one of platform/language below - then
remove this platform/language -->

### Docs

- added `SECURITY.MD` file;

## 🤔 How Has This Been Tested?

Tested via preview. Can be fully tested after a merge 🤞 

## 📸 Screenshots (if appropriate):

<img width="1042" height="997" alt="Screenshot 2026-05-12 at 18 28 08"
src="https://github.com/user-attachments/assets/3f82055c-0649-4346-98d0-c1f9f4b2e423"
/>

## 📝 Checklist

- [x] CI successfully passed
- [x] I added new mocks and corresponding unit-tests if library API was
changed

Author: kirillzyusko

SECURITY.md

@@ -0,0 +1,37 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest minor release of `react-native-keyboard-controller` receives security fixes. Older versions will not be patched — please upgrade to the latest release before reporting.
+
+## Reporting a Vulnerability
+
+Please **do not** open a public GitHub issue, discussion, or pull request for security problems.
+
+Instead, report vulnerabilities privately through GitHub's [Private Vulnerability Reporting](https://github.com/kirillzyusko/react-native-keyboard-controller/security/advisories/new). This keeps the report confidential until a fix is available and credits you in the resulting advisory.
+
+When reporting, please include:
+
+- A description of the issue and its impact
+- Steps to reproduce (minimal repro, affected platform — iOS / Android / Web)
+- Affected version(s)
+- Any suggested mitigation, if known
+
+## Response Process
+
+- **Acknowledgement:** within 48 hours of report
+- **Initial assessment:** within 7 days
+- **Fix target:** within 90 days for confirmed vulnerabilities, sooner for high-severity issues
+- **Disclosure:** coordinated via a GitHub Security Advisory once a patched release is available
+
+## Scope
+
+In scope:
+
+- The library source under `src/`, `android/`, `ios/`, and the published npm package
+
+Out of scope:
+
+- The example applications (`example/`, `FabricExample/`) — these exist only for local development and integration testing
+- Issues in third-party dependencies (please report those upstream)
+- Vulnerabilities requiring a physically compromised device or a modified host application