Add SECURITY.md security policy documentation

[sahaj-13]

Summary

This PR adds a SECURITY.md file to document the security policy and responsible disclosure process for the AutoAudit project.

What changed

• Added security reporting guidance
• Documented security-sensitive areas of the platform
• Added CI/CD security control notes
• Included Bandit, CodeQL, dependency scanning, and pull request review practices
• Added recommendations for authentication, rate limiting, file upload security, and future identity provider improvements

Value

This improves the project’s DevSecOps documentation by giving contributors a clear reference for reporting vulnerabilities and understanding key security controls.

[du-dhartley]

This file, while well intentioned, reads like a security backlog. This is not the place to put what this repository should be working on, what issues should be fixed and what we need to do. Please pull all backlog related items out of this file.

The current state of this file, including branches that are not used and are not valid, gives malicious actors (this repository is public, remember) advice that we aren't protecting specific endpoints the way we should be.