docs(security): add initial security policy

[janderssonse]

This PR adds a SECURITY.md file, battle tested in other projects and orgs, (the construct is CCO ie public domain, for example from here https://raw.githubusercontent.com/itiquette/git-provider-sync/refs/heads/main/SECURITY.md so just reuse)

A SECURITY.md would help anyone assessing the project for use, give a hint of how it handles critical no public security issues, and give anyone a clear instruction on how to report them non public.

IE, for someone thinking about using bat in an organisation or privately it would give an extra trust factor.

This policy basically says "send your findings, and we will see if we handle them, we will notify you".

Besides, being a good FOSS practice, makes the project look more professional and it is heavily supported by GitHub https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file etc as one of the community health files, so it will pop up automatically in the ui for the end user.

Examples:
Security Tab in project front will be added automatically

Security Policy in the top right corner of UI will be added automatically

Security Policy under Security Overview for the project will have the Security Policy green and enabled.

NOTE: there is a <...> in the text, where the preferred channel for reporting should be added I left that for you, (or tell me what to add there, and I'll rebase with that).

NOTE: I had this in multiple orgs and projects over the years. Only once I had a report, so I dont think one should be worry about getting to much reports from this, this is at least my experience.

[janderssonse]

It fails without a changelog entry, but I think this applies (I see this as docs). >[!NOTE]

For PRs, a CI workflow verifies that a suitable changelog entry is
added. If such an entry is missing, the workflow will fail. If your
changes do not need an entry to the changelog (see above), that
workflow failure can be disregarded.

[Enselic]

I'd like to point out that bat comes with no warranty, and I don't want to make any promises about timeliness

I don't really think there is a problem with our current place and instruction found at https://github.com/sharkdp/bat?tab=readme-ov-file#security-vulnerabilities

[janderssonse]

@Enselic Then we should just remove the last note /respond paragraph/ maybe. I don't see there are any obligations in this, on purpose. Best-effort means that doing nothing is an option too (no warranty). There is nothing wrong the current instruction you link too, but this community file is an idiomatic way (like I show with examples in the PR-text - ie both acknowledged by platforms like GitHub, and an end user would expect to look for this information, in a file with this name. )(SECURITY.md).

[Enselic]

As a first step we could put our current instruction in the separate file and get that merged

[janderssonse]

I can update this PR suggestion with a PR which is a mix of the both and be careful to remove anything which even remotely implies any promises. (The We will respond... paragraph, or soften it even more... In most cases, we will .. friendly, but no promises?). Sound good?

[Enselic]

Lets first do it minimally

and to be honest I don't see the point of adding more info

if someone does not know how to write a security bug report, they probably should not

(If it's too easy we end up in https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/)

[janderssonse]

I simplified it and rebased, now it is almost like the original information from the README. Please have a look.

[Enselic]

Closing for now to keep PR inbox clean but we can keep discussing here if needed.

[Enselic]

Like I said, I prefer a minimal change.

I'd also like to keep the header in the README.md to that old links don't break, but it should reference the SECURITY.md file.

[janderssonse]

Like I said, I prefer a minimal change.

I'd also like to keep the header in the README.md to that old links don't break, but it should reference the SECURITY.md file.

Please have a look again:)

[Enselic]

thanks for the update, let's merge