Add SECURITY.md

[opengeek]

What does it do?

Adds a SECURITY.md file to the 3.x branch. The file covers:

• Supported versions table (3.x fully supported; 2.x critical vulnerabilities only)
• Reporting channel: security@modx.com and the modx.com disclosure form (email-only intake)
• Required report contents
• Response timeline with an explicit 90-day maximum embargo commitment
• Coordinated disclosure policy and researcher expectations
• Scope definitions: in-scope versions, out-of-scope items, and an Extras disclaimer
• Recognition policy (no bounty; public credit offered)
• Researcher protections (no legal action for good-faith reports)

Why is it needed?

The 3.x branch currently has no security policy file. GitHub surfaces a "Security policy" prompt on the repository to encourage contributors to report issues responsibly — without this file, reporters have no guidance and may open public issues for vulnerabilities. The 2.x branch has an outdated SECURITY.md with broken URLs; this is a ground-up draft for 3.x aligned with the published disclosure policy at modx.com/community/responsible-security-disclosure.

How to test

Documentation only — no code changes. Review the file content for accuracy against the published policy at https://modx.com/community/responsible-security-disclosure.

Related issue(s)/PR(s)

None. This closes a documentation gap identified during a security infrastructure review.

[mkschell]

No issues with this.