docs: add SECURITY.md with private vulnerability-reporting policy (#1499)

[jbbqqf]

Summary

Add a SECURITY.md describing a private channel for vulnerability
reports, as requested in #1499 and recommended by GitHub's
repository-security documentation.

Fixes #1499 — Add SECURITY.md.

Context

Issue #1499 (Nov 2023) was opened by a security-research community asking
for a private reporting channel: at the time the repo had no
SECURITY.md, no .github/SECURITY.md, and no /docs/SECURITY.md. Two
years later, that gap is still open.

GitHub strongly recommends every public OSS repository publish such a
file (documentation). The doc explains how GitHub auto-detects
SECURITY.md in the repo root, .github/, or docs/ and surfaces a
"Report a vulnerability" button on the repo's Security tab. Without a
SECURITY.md, that button is hidden and reporters either give up or
file the vulnerability publicly — both are bad outcomes.

Changes

• SECURITY.md (new) at the repo root: GitHub's preferred location.
• tests/issues/test_issue1499.py (new): two repo-hygiene tests that
  assert the file is present and mentions the three things a researcher
  needs (private channel, "no public issues" warning, reply-time
  expectation). The tests intentionally accept any of the three GitHub
  auto-detect locations so a future maintainer can move the file
  without breaking the contract.

The policy text:

• Lists supported versions (latest minor + develop, older 4.x
  best-effort, 3.x and older unsupported).
• Provides two private reporting channels — GitHub Security Advisories
  (preferred, encrypted thread) and the maintainer email already
  published in pyproject.toml (opensource@ydata.ai). If a different
  email is preferred, swap it on a follow-up — the test checks for the
  presence of an @-style address, not a specific one.
• Sets a 5-business-day acknowledgement window and a 30–90-day
  coordinated-disclosure target.
• Calls out what's out of scope (unsupported versions, attacker already
  has local access, third-party dependency issues), so researchers can
  self-route reports that don't belong here.

Reproduce BEFORE/AFTER yourself (copy-paste)

# --- one-time setup ---
git clone https://github.com/Data-Centric-AI-Community/fg-data-profiling.git /tmp/repro && cd /tmp/repro
python3 -m venv /tmp/repro-venv
source /tmp/repro-venv/bin/activate
pip install -q 'setuptools<81' pytest pandas

# --- BEFORE (origin/develop) ---
git checkout origin/develop
ls SECURITY.md .github/SECURITY.md docs/SECURITY.md 2>&1 | head -3
# Expected: all three "No such file or directory"
git fetch https://github.com/jbbqqf/fg-data-profiling.git feat/1499-add-security-md
git checkout FETCH_HEAD -- tests/issues/test_issue1499.py
python3 -m pytest tests/issues/test_issue1499.py -v 2>&1 | tail -5
# Expected: 2 failed (no SECURITY.md found at any of the three locations)

# --- AFTER (this PR) ---
git fetch https://github.com/jbbqqf/fg-data-profiling.git feat/1499-add-security-md
git checkout FETCH_HEAD
ls SECURITY.md
# Expected: SECURITY.md
python3 -m pytest tests/issues/test_issue1499.py -v 2>&1 | tail -5
# Expected: 2 passed

The only thing that changes between BEFORE and AFTER is the checked-out
git ref.

What I ran locally

• pytest tests/issues/test_issue1499.py -v → 2/2 passed on the fix
  branch.
• Same test run against origin/develop (with the test file checked out
  from the fix branch as a borrowed regression test) → 2/2 failed
  (expected — the file is genuinely missing on develop).
• black --check tests/issues/test_issue1499.py → clean.
• markdownlint not run (not part of the project's make lint); the
  file follows the same heading/punctuation style as CONTRIBUTING.md.

Edge cases tested

#	Scenario	Input	Expected	Verified by
1	File present at repo root	SECURITY.md	test passes	test_security_md_exists_at_repo_root
2	File moved to .github/ later	.github/SECURITY.md	test still passes	same test (checks all three GitHub-detected locations)
3	File present but missing required content	text without @/email + advisory link, or no "do not file public issues" warning	test fails	test_security_md_describes_a_private_reporting_channel

Risk / blast radius

• Pure documentation addition — no code paths affected.
• The maintainer email used (opensource@ydata.ai) is the one already
  published in pyproject.toml. If the project would prefer a
  vulnerability-only address, change it post-merge.

Release note

docs: add SECURITY.md with a private channel for vulnerability reports. (#1499)

Upstream PR checklist (from .github/PULL_REQUEST_TEMPLATE/pull_request_template.md)

• make lint — black clean on the new test file (no other lintable
  files touched).
• make docs — n/a; SECURITY.md is auto-rendered by GitHub and not
  part of the mkdocs site.
• make test — pytest tests/issues/test_issue1499.py -v → 2/2 passed.
• make examples — n/a; no example changes.

---

PR drafted with assistance from Claude Code. The change was reviewed
manually against GitHub's repository-security documentation and the
existing repo conventions. The reproducer block above was used during
development; it is the same one a reviewer can paste verbatim.