docs: add SECURITY.md with vulnerability reporting policy

[sedat4ras]

Purpose

Adds .github/SECURITY.md to publish Sphinx's security vulnerability reporting policy.

Closes #13063

GitHub automatically surfaces this file in the repository's Security tab and shows a "Report a vulnerability" button to users, replacing the generic GitHub message with project-specific guidance.

The policy documents:

• GitHub Security Advisories as the preferred private reporting channel
• Email contact as an alternative (admin@sphinx-doc.org — please update if this is incorrect)
• Which versions receive security fixes (latest stable only)
• The disclosure process outline

Note to maintainers: Please verify the email address is correct or update it to the preferred contact. The issue mentioned emailing the lead maintainer directly; if you'd prefer that, replace admin@sphinx-doc.org with the appropriate address.

References

• Closes Add SECURITY.rst #13063

[sedat4ras]

Closing — CI failed on the job (unrelated to the change, but keeping the PR clean). Will reopen once the issue is investigated.

[sedat4ras]

Note on the CI failure: the ty job is failing, but this is unrelated to this PR — ty is a type checker linting the Sphinx Python source code, and SECURITY.md is a plain Markdown file that doesn't touch any Python code. The failure appears to be a pre-existing issue in the repository unrelated to this change.