Add SECURITY.md with private vulnerability reporting path

[CryptoJones]

Summary

Adds a root-level SECURITY.md documenting:

• The private GitHub Security Advisory reporting path (preferred).
• The scope of "security" (loaders, network surfaces, deserialization).
• What does not count as a security issue (perf, "malware on my screen", out-of-tree mods).
• Expected response shape and the GHSA → CVE publication flow at disclosure time.

Why

Ghidra parses adversary-controlled binaries and ships a network-reachable server, but the repo currently has no SECURITY.md. The "Security Advisories" link in the README points to the right place, but there is no discoverable file at the root telling a researcher how to file a private report.

GitHub's "Security policy" surface (the badge that appears on a repo's main page and on every issue page) is wired off SECURITY.md. Adding one improves discoverability for reporters who arrive cold and may otherwise file a public issue.

Comparable projects already publish one:

• LLVM: https://github.com/llvm/llvm-project/security/policy
• GNU Binutils: https://sourceware.org/binutils/wiki/Security
• GDB: https://sourceware.org/gdb/wiki/Security

Scope of this PR

Documentation only. No code, build, CI, or workflow changes.

The repo's existing GitHub Security Advisories page is unchanged; this PR just makes the reporting path findable.

Test plan

• Confirm the file renders cleanly on GitHub.
• Confirm the "Security policy" tab appears on the repo home and points to SECURITY.md.
• No broken links.

Notes for review

I'm happy to amend wording to match existing project voice or to update the email / contact path if there is a maintainer-preferred channel beyond the GHSA report. The current text intentionally avoids putting an email address inline — the GHSA path is the simplest and most auditable.