docs: add security policy

[WilliamBergamin]

• Adds a SECURITY.md to .github/ with vulnerability reporting instructions, threat model, and disclosure policy
• Directs reporters to the Slack HackerOne bug bounty program
• Defines in-scope vulnerabilities (signature bypass, token leakage, DoS, auth bypass) and out-of-scope issues

Category (place an x in each of the [ ])

• bolt (Bolt for Java)
• bolt-{sub modules} (Bolt for Java - optional modules)
• slack-api-client (Slack API Clients)
• slack-api-model (Slack API Data Models)
• slack-api-*-kotlin-extension (Kotlin Extensions for Slack API Clients)
• slack-app-backend (The primitive layer of Bolt for Java)

Requirements

Please read the Contributing guidelines and Code of Conduct before creating this issue or pull request. By submitting, you agree to those rules.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.28%. Comparing base (45a122e) to head (9e41238).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff            @@
##               main    #1593   +/-   ##
=========================================
  Coverage     73.28%   73.28%           
  Complexity     4519     4519           
=========================================
  Files           478      478           
  Lines         14300    14300           
  Branches       1490     1490           
=========================================
  Hits          10480    10480           
  Misses         2932     2932           
  Partials        888      888           

Flag	Coverage Δ
jdk-14	73.28% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zimeg]

@WilliamBergamin Believe it or not I drink a coffee as these writings are read ☕ 🔏