docs(security): update security policy with reporting guidelines and hints to supported versions

[balazs-szucs]

📝 Description

See: https://github.com/balazs-szucs/grimmory/blob/security-md-stuff/SECURITY.md

Required for develop and main. Your PR title must use Conventional Commit format because maintainers squash-merge with the PR title and stable releases are computed from commit history. Example: fix(reader): prevent blank pages on chapter jump

Linked Issue: Fixes #

Required. Every PR must reference an approved issue. If no issue exists, open one and wait for maintainer approval before submitting a PR. Unsolicited PRs without a linked issue will be closed.

🏷️ Type of Change

• Bug fix
• New feature
• Enhancement to existing feature
• Refactor (no behavior change)
• Breaking change (existing functionality affected)
• Documentation update

🔧 Changes

🧪 Testing (MANDATORY)

PRs without this section filled out will be closed. "Tests pass" or "Tested locally" is not sufficient. You must provide specifics.

Manual testing steps you performed:

Regression testing:

Edge cases covered:

Test output:

Backend test output (./gradlew test)

PASTE OUTPUT HERE

Frontend test output (ng test)

PASTE OUTPUT HERE

📸 Screen Recording / Screenshots (MANDATORY)

Every PR must include a screen recording or screenshots showing the change working end-to-end in a running local instance (both backend and frontend). This means you must have actually built, run, and tested the code yourself. PRs without visual proof will be closed without review.

---

✅ Pre-Submission Checklist

All boxes must be checked before requesting review. Incomplete PRs will be closed without review. No exceptions.

• This PR is linked to an approved issue
• Code follows project backend and frontend conventions
• Branch is up to date with develop (merge conflicts resolved)
• I ran the full stack locally (backend + frontend + database) and verified the change works
• Automated tests added or updated to cover changes (backend and frontend)
• All tests pass locally and output is pasted above
• Screen recording or screenshots are attached above proving the change works
• PR is a single focused change (one bug fix OR one feature, not multiple unrelated changes)
• PR is reasonably scoped (PRs over 1000+ changed lines will be closed, split into smaller PRs)
• No unsolicited refactors, cleanups, or "improvements" are bundled in
• Flyway migration versioning is correct (if schema was modified)
• Required documentation updates are included in this repo or the current Grimmory docs surface (if user-facing changes)

🤖 AI-Assisted Contributions

If any part of this PR was generated or assisted by AI tools (Copilot, Claude, ChatGPT, etc.), all items below are mandatory. You are fully responsible for every line you submit. "The AI wrote it" is not an excuse, and AI-generated PRs that clearly haven't been reviewed are the #1 reason PRs get closed.

• I have read and understand every line of this PR and can explain any part of it during review
• I personally ran the code and verified it works (not just trusted the AI's output)
• PR is scoped to a single logical change, not a dump of everything the AI suggested
• Tests validate actual behavior, not just coverage (AI-generated tests often assert nothing meaningful)
• No dead code, placeholder comments, TODOs, or unused scaffolding left behind by AI
• I did not submit refactors, style changes, or "improvements" the AI suggested beyond the scope of the issue

---

💬 Additional Context (optional)

Summary by CodeRabbit

• Documentation
  • Established a comprehensive security vulnerability reporting process with clear reporting channels, submission requirements checklist, and detailed step-by-step handling procedures from acknowledgment through resolution
  • Updated security support policy: only the latest version receives security updates; older versions are no longer supported
  • Added security best practices guidance with deployment, configuration, and hardening recommendations

[coderabbitai]

📝 Walkthrough

Walkthrough

The SECURITY.md file was restructured to formalize vulnerability reporting procedures, including two submission channels, a required information checklist, and a documented resolution process. The supported versions policy was updated to restrict security patches to the latest version only, and security best practices for deployment were added.

Changes

Cohort / File(s)	Summary
Security Policy Documentation SECURITY.md	Added structured vulnerability reporting procedures ("How to Report", "What to Include", "Process"), updated "Supported Versions" to support only the latest release, and replaced placeholder content with "Security Best Practices" focused on deployment guidance.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Hoppy hops around with glee,
Security's now clear to see!
Latest versions earn the shield,
Reports have channels, paths now sealed,
Best practices grow with care, 🛡️
Vulnerabilities go...everywhere! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete and non-compliant. Critical sections are empty or unchecked: no issue linked, type of change not marked, changes list blank, testing details missing (manual steps, regression testing, edge cases, test output), screenshots/recordings absent, and all pre-submission checklist items unchecked.	Fill all required sections: link an approved issue, mark documentation update type, list specific changes, provide mandatory testing details with actual steps, include screenshots/recordings, and check all applicable checklist items before requesting review.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title uses Conventional Commit format and clearly describes the main change: updating the security policy with reporting guidelines and version support information.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@SECURITY.md`:
- Around line 55-56: Update the note paragraph following the Markdown block
reference "[!NOTE]" so the first word is capitalized (change "this list is not
exhaustive." to "This list is not exhaustive."). Locate the "[!NOTE]" block in
SECURITY.md and edit the sentence that follows to start with a capital letter to
improve professionalism.
- Line 3: The "How to Report" heading currently uses an H3 (### How to Report)
which creates a jump from the H1; update the heading to H2 by changing "### How
to Report" to "## How to Report" so the document maintains proper heading
hierarchy and satisfies linters referencing the "How to Report" heading.
- Around line 12-14: The "Direct contact" section is ambiguous and may lead
reporters to share sensitive details publicly; update the SECURITY.md "Direct
contact" section to specify a single private reporting channel (for example a
dedicated security email address or a Discord DM to a named maintainer account),
provide exact contact details and clear instructions not to post vulnerability
details in public channels, and replace vague phrasing like "anybody with
'maintainer' role discord" with the chosen private channel and explicit note
about encryption or PGP for sensitive attachments; ensure the section header
"Direct contact" and its bullet text are changed accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0efef108-471b-4edc-8881-fc303dba869c

📥 Commits

Reviewing files that changed from the base of the PR and between 6ef4448 and 36bebe6.

📒 Files selected for processing (1)

• SECURITY.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Polish note capitalization for professionalism.

Capitalize the first word in the note text.

Suggested diff

 > [!NOTE]
-> this list is not exhaustive. Always follow general security best practices when deploying any software.
+> This list is not exhaustive. Always follow general security best practices when deploying any software.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	> [!NOTE]
	> this list is not exhaustive. Always follow general security best practices when deploying any software.
	> [!NOTE]
	> This list is not exhaustive. Always follow general security best practices when deploying any software.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@SECURITY.md` around lines 55 - 56, Update the note paragraph following the
Markdown block reference "[!NOTE]" so the first word is capitalized (change
"this list is not exhaustive." to "This list is not exhaustive."). Locate the
"[!NOTE]" block in SECURITY.md and edit the sentence that follows to start with
a capital letter to improve professionalism.