docs: restore canonical security policy

Move .github/SECURITY.md to the repository root so it replaces the
top-level SECURITY.md added by the Salesforce OSPO Service Bot on
2026-06-02. GitHub resolves security policy with root taking precedence
over .github/, so the bot file had silently shadowed the maintained
policy. This restores the correct reporting channel.

Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com>

Author: WilliamBergamin

.github/SECURITY.md

@@ -1,7 +1,63 @@
-## Security
+# Security Policy
 
-Please report any security issue to [https://www.sfdc.co/SubmitVuln](https://www.sfdc.co/SubmitVuln)
-as soon as it is discovered. This library limits its runtime dependencies in
-order to reduce the total cost of ownership as much as can be, but all consumers
-should remain vigilant and have their security stakeholders review all third-party
-products (3PP) like this one and their dependencies.
+Slack takes the security of its software and services seriously, including all open-source repositories managed through the [slackapi](https://github.com/slackapi) GitHub organization.
+
+## Reporting a Vulnerability
+
+**Do NOT report security vulnerabilities through public GitHub issues, pull requests, or discussions.**
+
+If you believe you have found a security vulnerability in `slack-bolt`, please report it through the Slack bug bounty program on HackerOne:
+
+**<https://hackerone.com/slack>**
+
+Even if `slack-bolt` is not explicitly listed as an in-scope asset on the HackerOne program page, reports for vulnerabilities in this package should still be submitted there. The Slack security team triages reports for all `slackapi` open-source repositories through this program.
+
+If HackerOne is inaccessible, you may alternatively report the issue to [security@salesforce.com](mailto:security@salesforce.com).
+
+Please do not discuss potential vulnerabilities in public without first coordinating with the security team.
+
+## What to Include
+
+To help us triage and respond quickly, please include:
+
+- Type of vulnerability (e.g., signature bypass, token leakage, denial of service)
+- Affected version(s) of `slack-bolt`
+- Step-by-step reproduction instructions
+- Proof-of-concept code or payloads, if available
+- Impact assessment: what an attacker could achieve
+- Any specific configuration required to trigger the vulnerability
+- Affected source file paths, if known
+
+## Threat Model
+
+Bolt for Python is a framework that sits between the Slack platform and developer application code. Its security boundary covers the integrity and confidentiality of that interface.
+
+### In Scope
+
+The following are considered framework vulnerabilities:
+
+- Bypass of request signature verification (HMAC-SHA256 validation)
+- OAuth token leakage or cross-tenant token exposure during authorization flows
+- Denial of service caused by malformed or specially crafted payloads processed by framework internals
+- Authentication or authorization bypass in any built-in adapter
+- Information disclosure through framework error responses or timing side channels
+- Bypass of the `ssl_check` endpoint protections
+
+### Out of Scope
+
+The following are NOT framework vulnerabilities:
+
+- Vulnerabilities in the Python runtime, operating system, or hosting infrastructure
+- Security issues in developer application logic built on top of Bolt (e.g., SQL injection caused by passing unsanitized payload data to a database)
+- Vulnerabilities in third-party PyPI packages chosen and installed by the developer outside of Bolt's direct dependencies
+- Vulnerabilities in Slack's server-side platform infrastructure (report those directly under Slack's main HackerOne scope)
+- Attacks that require possession of a valid signing secret or bot token
+- Arbitrary attribute injection or unsafe deserialization caused by developer code handling untrusted input
+- Issues that only affect end-of-life versions with no reproduction on supported versions
+
+## Disclosure Policy
+
+This project follows coordinated disclosure:
+
+- Allow a reasonable timeframe for the team to investigate, develop, and release a fix before any public disclosure.
+- Researchers who follow responsible disclosure practices are eligible for recognition and bounty consideration through the Slack HackerOne program.