[Feature]: Enable Security Policy and Private Vulnerability Reporting

[XlabAITeam]

As a sandbox solution, it is essential to provide a secure channel for reporting potential security concerns. Implementing a formal security policy ensures that any future findings can be disclosed, discussed, and resolved privately before being made public, protecting both the project and its users.

Suggestions and Solutions:

1. Add a SECURITY.md file: Define the process for reporting potential security issues.
2. Enable Private Vulnerability Reporting: Turn on this feature in Settings to allow researchers to submit reports confidentially via GitHub (Ref: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository).
3. Security Advisories: This will allow the project to coordinate security fixes and issue CVEs if necessary.

[DorianZheng]

Thanks for raising this, @XlabAITeam — you're right that a sandbox project needs a private disclosure channel.

Done in #445:

• Added SECURITY.md with the full policy — reporting channels, acknowledgement SLA (3 business days), supported versions, scope (VM escape, jailer bypass, guest→host escalation, image handling,
  host-side memory safety), and safe-harbor language for good-faith research.
• Enabled GitHub's Private Vulnerability Reporting on the repository. Reports go to https://github.com/boxlite-ai/boxlite/security/advisories/new, which opens a private advisory where we can
  coordinate the fix, credit, and a CVE if applicable.
• Cross-linked the policy from README.md and CONTRIBUTING.md so researchers can find it.

Please submit any findings through the advisory form — if you can't for some reason, DM a maintainer on Discord and we'll open a private channel.

Closing as completed. Thanks again for the nudge.