## Problem The AI module currently has no `SECURITY.md` at the repository root. As more AI-assisted security scanners and researchers run automated tests against the module and its sub-modules, contributors have no canonical place to learn how to responsibly disclose findings. This leads to public issue reports of unverified vulnerabilities and ad-hoc disclosure paths. ## Proposed solution Add a `SECURITY.md` to the project root containing three sections: ### 1. How to report a security finding - Direct reporters to the Drupal Security Team's standard private reporting channel (`security@drupal.org`) per Drupal.org's contributed module security policy, rather than the public GitLab issue queue. - Include guidance on what to include (affected version, reproduction steps, impact, suggested fix if known). ### 2. Disclosure policy - Coordinated disclosure handled by the Drupal Security Team. - No public discussion of unfixed issues in the GitLab issue queue or drupal.org issues. - Reporters will be **credited** in the public Security Advisory once a fix is released (unless they request anonymity). ### 3. Supported versions - A short table listing which minor branches of the AI module currently receive security fixes (e.g. latest stable + previous). - Note that experimental sub-modules may not be covered until they reach stable. ## Scope Documentation only. No code changes. Maintainers to confirm exact supported-versions matrix before merging.