docs: add SECURITY.md security policy (EN + 中文)

[circlecrystal]

Summary

Add a security policy so the repository's Security tab is populated instead of showing "This project has not set up a SECURITY.md file yet."

Adds two files following the existing bilingual doc convention (CONTRIBUTING.md / CONTRIBUTING_CN.md):

• SECURITY.md (English) — GitHub's canonical location, picked up automatically by the Security tab and the "Suggest a security policy" prompt.
• SECURITY_CN.md (中文) — cross-linked from the English version.

Type and Areas

Type: docs

Areas: docs / repository meta

Motivation / Impact

The repo had no SECURITY.md, so GitHub showed an empty security policy and no clear, discoverable channel for reporting vulnerabilities. This documents:

• Supported versions — rolling 0.x; fixes land on the latest release.
• Private reporting — routed to GitHub Security Advisories (/security/advisories/new), consistent with the existing .github/ISSUE_TEMPLATE/config.yml contact link, with a no-details fallback for reporters who can't use Advisories.
• Coordinated disclosure process, scope (in/out), and a safe-harbor clause.

No code or user-facing runtime change.

Verification

• Docs-only change; no build/test impact.
• git diff main... shows exactly the two new files (118 insertions, 0 deletions).
• Confirmed reporting link and contact channel match the existing .github/ISSUE_TEMPLATE/config.yml.
• Verified EN ↔ 中文 cross-links resolve to the correct relative paths.

Reviewer Notes

• Branch is based on current upstream main (3a4b5ff0); the diff is limited to the policy files.
• Please confirm the 5 business days acknowledgement target is acceptable, or suggest a different SLA.

Checklist

• This PR is focused and does not include secrets, temporary prompts, generated scratch files, or unrelated artifacts.
• Relevant verification is recorded above, or skipped checks are explained.
• User-facing strings, docs, and locales are updated where applicable.

🤖 Generated with Claude Code