feat: add SECURITY.md

SECURITY.md

@@ -0,0 +1,97 @@
+# Security Policy for Judge4C
+
+## 🎯 Supported Branches & Versions
+
+- **main** — the production-ready and officially released branch.
+- **develop** — used for testing and pre-release. Not for production use.
+- We only support and patch security issues on `main` and actively-maintained releases.
+
+---
+
+## 🛡️ Reporting a Vulnerability
+
+We appreciate responsible disclosure! Please follow this process:
+
+1. **Submission**
+    - Preferably via GitHub’s official vulnerability reporting: **Security → Report a vulnerability**.
+    
+2. **Report Details**
+    - Affected version or commit (e.g., `main` or specific SHA/hash).
+    - Clear description and impact assessment.
+    - Steps to reproduce, proof-of-concept (PoC), logs/screenshots/use cases.
+    - Environment details (OS, dependencies, config, etc.).
+
+3. **Confidentiality**
+    - All vulnerability discussions will remain confidential until a fix is released.
+    - We respect credit preferences—anonymous reporting is accepted.
+
+---
+
+## 🧭 Response Timeline
+
+| Phase            | Target Timeline         | Description |
+|------------------|-------------------------|-------------|
+| Acknowledgment   | Within 5 business days  | Confirm receipt and provide a tracking reference. |
+| Triage & Patching | Within 14 calendar days | Investigate, assess risk, and provide a fix or mitigation. |
+| Public Disclosure | After fix release       | Publish advisory in release notes and/or security bulletin. |
+
+---
+
+## ⚠️ Severity Guidance
+
+We appreciate reports of all severity levels. Example categories:
+
+- **Critical**: Remote code execution, authentication bypass, data exfiltration.
+- **High**: Privilege escalation, serious data/information leakage.
+- **Medium**: XSS, CSRF, business logic issues.
+- **Low**: Minor config weaknesses, non-sensitive information exposure.
+
+---
+
+## 🔐 Security Best Practices
+
+We maintain the following controls and hygiene measures:
+
+- Docker-based sandboxing for isolated C-program execution; resource-limited.
+- Recommend TLS (HTTPS) for all network access and secure authentication tokens.
+- Strict access controls: only administrators and teachers can perform sensitive operations.
+- Dependabot and/or CodeQL for dependency & code scanning :contentReference[oaicite:1]{index=1}.
+- GitHub branch protections on both `main` and `develop`, including required reviews, status checks, and no force-push. :contentReference[oaicite:2]{index=2}
+- Secret scanning enabled to prevent API key leakage. :contentReference[oaicite:3]{index=3}
+
+---
+
+## 👨‍💻 Secure Development Tips
+
+- Avoid committing secrets: use environment variables and secret management tools. :contentReference[oaicite:4]{index=4}
+- Regular dependency updates—automated monthly scans are recommended. :contentReference[oaicite:5]{index=5}
+- Enforce 2FA for all contributors to reduce unauthorized access risks. :contentReference[oaicite:6]{index=6}
+
+---
+
+## 📚 References & Resources
+
+- GitHub best practices for security policies :contentReference[oaicite:7]{index=7}
+- OWASP Vulnerability Disclosure guidelines :contentReference[oaicite:8]{index=8}
+- Coordinated Vulnerability Disclosure in open-source :contentReference[oaicite:9]{index=9}
+
+---
+
+## 🤝 Getting Help & Acknowledgments
+
+- File a confidential GitHub security issue 
+- You can also join our community Slack/Discord channel (see README).
+- For in-depth cross-project discussions, refer to GitHub Security Lab documentation.
+
+---
+
+## 📜 License
+
+This policy is shared under the **MIT License**—feel free to copy or adapt.
+
+---
+
+
+
+Thank you for helping us keep Judge4C secure!  
+— The Judge4C Development Team