Replace SECURITY.md with unified security policy

SECURITY.md

@@ -1,98 +1,68 @@
 # 🔒 Security Policy
 
-## 🛡️ Supported Versions
-
-We actively maintain and provide security updates for the following versions:
-
-| Version | Supported          |
-| ------- | ------------------ |
-| 1.0.x   | :white_check_mark: |
-
 ## 🚨 Reporting Security Vulnerabilities
 
-If you identify any security vulnerabilities or concerns within this repository, please report them promptly by emailing us at [[email protected]](mailto:[email protected]).
-
-**Please do NOT report security vulnerabilities through public GitHub issues.**
-
-> [!NOTE]
-> As an open-source project, we don't offer monetary bug bounties. However, we provide meaningful recognition and community acknowledgment for security researchers who help improve our project.
-
-### What to Include in Your Report
+We take security seriously. If you discover a security vulnerability, please report it responsibly:
 
-When reporting a security vulnerability, please include:
+### Private Vulnerability Reporting (Recommended)
 
-- **Description**: A clear description of the vulnerability
-- **Impact**: Potential impact and severity assessment
-- **Steps to Reproduce**: Detailed steps to reproduce the vulnerability
-- **Environment**: Node.js version, operating system, and other relevant details
-- **Proof of Concept**: If possible, include a minimal reproduction case
+This repository has **private vulnerability reporting** enabled. You can securely report vulnerabilities directly through GitHub:
 
-### Response Timeline
+1. Navigate to the [**Security**](../../security) tab
+2. Click [**Advisories**](../../security/advisories)
+3. Click **"Report a vulnerability"** button
+4. Fill out the vulnerability details
 
-- **Initial Response**: Within 48 hours of receiving your report
-- **Status Update**: Regular updates every 3-5 business days
-- **Resolution**: We aim to resolve critical vulnerabilities within 7 days
+This allows us to discuss and fix the issue privately before any public disclosure.
 
-### Recognition and Rewards
+### Email Reporting
 
-As an open-source organization, we don't currently offer monetary rewards for vulnerability reports. However, we deeply value your contributions and offer the following recognition:
+Alternatively, you can email us at **[[email protected]](mailto:[email protected])**
 
-- **Public Acknowledgment**: Credit in our security advisories and release notes (with your permission)
-- **Hall of Fame**: Recognition in our project's security contributors section
-- **Professional Reference**: LinkedIn recommendations or professional references for your security research skills
+**Please do NOT report security vulnerabilities through public GitHub issues.**
 
-We believe in building a collaborative security community and greatly appreciate researchers who help improve our project's security posture.
+### What to Include
 
-## 🔐 Security Considerations
+- Clear description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Your environment details (Node.js version, OS, etc.)
 
-This webhook server handles sensitive operations and external requests. Key security areas include:
+### Response Timeline
 
-### HMAC Signature Verification
-- All webhook requests must include valid HMAC-SHA256 signatures
-- Signatures are verified against your Unthread webhook secret
-- Invalid signatures are rejected immediately
+- **Initial Response**: Within 48 hours
+- **Status Updates**: Every 3-5 business days
+- **Resolution**: Critical issues resolved within 7 days
 
-### Environment Security
-- Store your `UNTHREAD_WEBHOOK_SECRET` securely
-- Use environment variables, never hardcode secrets
-- Regularly rotate your webhook secrets
+## 🛡️ Supported Versions
 
-### Redis Security
-- Secure your Redis instance with authentication
-- Use TLS encryption for Redis connections in production
-- Limit Redis access to authorized applications only
+We provide security updates for the following versions. If you're using an unsupported version, please upgrade to receive security patches.
 
-### Network Security
-- Deploy behind a reverse proxy or load balancer
-- Use HTTPS/TLS for all webhook endpoints
-- Implement rate limiting to prevent abuse
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.0.x   | ✅ Yes             |
+| < 1.0   | ❌ No              |
 
-### Input Validation
-- All webhook payloads are validated before processing
-- Malformed requests are rejected with appropriate error responses
-- Event deduplication prevents replay attacks
+## 🔐 Security Best Practices
 
-## 🏭 Production Security Checklist
+When contributing or deploying:
 
-Before deploying to production:
+- ✅ Never commit secrets, API keys, or credentials
+- ✅ Always use environment variables for sensitive data
+- ✅ Keep dependencies updated
+- ✅ Use HTTPS/TLS for all endpoints
+- ✅ Enable security scanning (Dependabot, CodeQL)
 
-- [ ] Use HTTPS/TLS for all endpoints
-- [ ] Secure Redis with authentication and encryption
-- [ ] Set strong, unique webhook secrets
-- [ ] Implement proper logging and monitoring
-- [ ] Use environment variables for all secrets
-- [ ] Deploy behind a reverse proxy
-- [ ] Enable rate limiting
-- [ ] Regular security updates for dependencies
+## 🏆 Recognition
 
-## 🆘 Security Support
+While we don't offer monetary rewards, we deeply value security researchers and provide:
 
-Your efforts to help us maintain the safety and integrity of this open-source project are greatly appreciated. Thank you for contributing to a more secure community!
+- Public acknowledgment in security advisories (with permission)
+- Recognition in our security contributors hall of fame
+- Professional references for your security work
 
-For general security questions or guidance, you can also reach out through:
-- Email: [[email protected]](mailto:[email protected])
-- GitHub Security Advisories (for coordinated disclosure)
+Thank you for helping keep our projects secure! 🙏
 
 ---
 
-🔐 with ❤️ by [Waren Gonzaga](https://warengonzaga.com) under [WG Technology Labs](https://wgtechlabs.com) and [Him](https://www.youtube.com/watch?v=HHrxS4diLew&t=44s) 🙏
+🔐 with ❤️ by [Waren Gonzaga](https://warengonzaga.com) under [WG Technology Labs](https://wgtechlabs.com) and [Him](https://www.youtube.com/watch?v=HHrxS4diLew&t=44s) 🙏