feat(legals): add security policy (#156)

SECURITY.md

@@ -0,0 +1,35 @@
+# Security Policy
+
+Security is critically important to Papra. We actively welcome responsible disclosure of any vulnerabilities found in our platform.
+
+## Reporting a Vulnerability
+
+If you discover a security issue within Papra, please email us directly at **security@papra.app** with the following details:
+
+- Clear description of the vulnerability.
+- Steps or proof-of-concept to reproduce the vulnerability.
+- Potential impact or implications of the vulnerability.
+
+We ask you **not to publicly disclose the vulnerability** until we have had a reasonable opportunity to address it.
+
+## Response and Communication
+
+We will:
+
+- Acknowledge receipt of your report within **48 hours**.
+- Investigate and provide initial feedback within **5 business days**.
+- Work diligently to fix validated vulnerabilities.
+- Keep you updated throughout the process until the issue is resolved.
+
+## Security Practices at Papra
+
+Papra follows industry-standard security practices:
+
+- Secure hosting infrastructure provided by trusted services (Render, Cloudflare, Turso).
+- Regular security and dependency updates.
+- Strict access controls to production environments.
+- Encryption of data in transit and at rest.
+
+## Acknowledgments
+
+We greatly appreciate and acknowledge all researchers who responsibly report vulnerabilities, helping us keep Papra secure.

apps/docs/src/content/navigation.ts

@@ -24,4 +24,16 @@ export const sidebar: StarlightUserConfig['sidebar'] = [
       },
     ],
   },
+  {
+    label: 'Resources',
+    items: [
+      {
+        label: 'Security Policy',
+        link: 'https://github.com/papra-hq/papra/blob/main/SECURITY.md',
+        attrs: {
+          target: '_blank',
+        },
+      },
+    ],
+  },
 ];