Add SECURITY.md with vulnerability reporting policy

[jozefizso]

Description

The repository should include a SECURITY.md file to define how users should report security vulnerabilities. This is a best practice for public GitHub Actions, especially before v1.0.0 release.

What to Include

A SECURITY.md should document:

Supported Versions

Which versions receive security updates:

| Version | Supported          |
| ------- | ------------------ |
| 1.x     | :white_check_mark: |
| < 1.0   | :x:                |

Reporting a Vulnerability

• How to report security issues (email, private disclosure, GitHub Security Advisories)
• Expected response time
• Disclosure policy

Security Considerations for Users

• This action runs with sudo privileges
• Downloads installer packages from Microsoft CDN
• Modifies system TCC database
• Recommendations for securing workflows using this action

Example Structure

# Security Policy

## Supported Versions

[versions table]

## Reporting a Vulnerability

Please report security vulnerabilities by [method]. Do not create public GitHub issues for security vulnerabilities.

We will respond within [timeframe] and work with you to understand and address the issue.

## Security Considerations

This action requires elevated privileges to:
- Install system software
- Modify macOS privacy databases (TCC)
- Enable UI automation

Please review the source code before use in production environments.

Priority

Should be completed before v1.0.0 release.

References

• GitHub Security Policy Documentation
• Example SECURITY.md from actions/checkout