chore(docs): add security policy

This commit introduces a detailed SECURITY.md file that outlines:
- Supported version policy for security patches
- Vulnerability reporting process
- Disclosure and handling procedures
- Security best practices for using the provider
- Additional security resources and references

The new security policy provides clear guidance for users and contributors on how security issues are managed and mitigated.

Signed-off-by: Pavel Boldyrev <[email protected]>

Author: bpg

.github/SECURITY.md

@@ -0,0 +1,75 @@
+# Security Policy
+
+## Supported Versions
+
+We release patches for security vulnerabilities for the following versions:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| Latest release   | :white_check_mark: |
+| Previous minor release | :white_check_mark: |
+| < Previous minor release   | :x:                |
+
+## Reporting a Vulnerability
+
+We take the security of the Terraform Provider for Proxmox and its users seriously. If you believe you have found a security vulnerability, please report it to us privately.
+
+**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
+
+Instead, please send an email to <[email protected]> or report it through GitHub's Security Advisory feature:
+
+1. Go to <https://github.com/bpg/terraform-provider-proxmox/security/advisories/new>
+2. Provide a descriptive title
+3. Fill in a detailed description of the issue
+4. Click "Submit report"
+
+Please include the following information in your report:
+
+- Description of the vulnerability
+- Steps to reproduce the issue
+- Potential impact of the vulnerability
+- Suggested fix if possible
+- Your name/handle for credit (optional)
+
+## What to Expect
+
+When you submit a vulnerability report, you can expect:
+
+- Acknowledgment of your report within 48 hours
+- Regular updates about our progress
+- Credit for discovering the vulnerability (if desired)
+
+## Disclosure Policy
+
+When we receive a security bug report, we will:
+
+1. Confirm the problem and determine the affected versions
+2. Audit code to find any potential similar problems
+3. Prepare fixes for all supported versions
+4. Release new versions and notify users
+
+## Security-Related Configuration
+
+When using this provider, please follow these security best practices:
+
+1. **API Credentials**:
+   - Use environment variables or encrypted credential files to store sensitive information
+   - Never commit API tokens or credentials to version control
+   - Use the most restrictive permissions possible for API users
+
+2. **Network Security**:
+   - Use HTTPS/TLS for all API connections
+   - Configure appropriate firewall rules
+   - Use private networks where possible
+
+3. **State File Security**:
+   - Encrypt your Terraform state files
+   - Use remote state with appropriate access controls
+   - Be cautious with state file contents as they may contain sensitive information
+
+## Additional Information
+
+For more information about security practices when using this provider, please refer to:
+
+- [Terraform Security Best Practices](<https://www.terraform.io/docs/cloud/guides/recommended-practices/security.html>)
+- [Proxmox Security Documentation](<https://www.proxmox.com/en/proxmox-ve/security>)