docs(security): add SECURITY.md with threat model

[christian-bromann]

What is the current behavior?

GitHub Issue Number: N/A

Currently, the Stencil project does not have a formal security policy or threat model documentation. Developers and security researchers lack clear guidance on:

• How to report security vulnerabilities
• Understanding the security implications of different Stencil components
• Best practices for secure Stencil application development
• Threat prioritization and mitigation strategies

What is the new behavior?

This PR adds a comprehensive SECURITY.md file that includes:

1. Security Reporting Policy: Clear instructions for reporting security vulnerabilities via email instead of public GitHub issues

2. Comprehensive Threat Model: Detailed analysis of 14 security threats across all Stencil components:

   • Stencil Compiler (3 threats)
   • Dev Server (3 threats)
   • Client-side Runtime (3 threats)
   • Server-Side Rendering (3 threats)
   • CLI (2 threats)

3. DREAD Risk Assessment: Each threat is scored using the DREAD methodology (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) for prioritization

4. Detailed Attack Scenarios: Realistic examples of how each threat could be exploited

5. Concrete Code Examples: Vulnerable code patterns and attack payloads that developers can learn from

6. Mitigation Strategies: Specific recommendations for preventing and addressing each threat category

7. Real-world Impact: References to actual security incidents and statistics where applicable

The threat model identifies 6 Critical priority threats (40-50 DREAD points), 7 High priority threats (25-39 points), and 1 Medium priority threat (11-24 points).

Documentation

This PR is entirely documentation-focused, providing security guidance for the Stencil ecosystem.

Does this introduce a breaking change?

• Yes
• No

This is a documentation-only addition with no impact on existing code or functionality.

Testing

Document Review:

• Verified all threat scenarios are technically accurate and relevant to Stencil's architecture
• Ensured DREAD scoring methodology is consistently applied across all threats
• Validated that code examples represent realistic vulnerability patterns
• Confirmed mitigation strategies are actionable and specific to each threat category
• Reviewed formatting and structure for readability and accessibility

Content Validation:

• Cross-referenced threat categories with STRIDE methodology
• Verified real-world impact examples and statistics are accurate
• Ensured attack scenarios cover the full spectrum from simple to advanced exploitation techniques

Other information

Key Features of this Security Policy:

• Developer-Focused: Written to help Stencil developers understand and prevent security vulnerabilities
• Actionable Guidance: Each threat includes specific code examples of both vulnerable and secure patterns
• Prioritized Approach: DREAD scoring helps teams focus on the most critical security issues first
• Comprehensive Coverage: Addresses security concerns across the entire Stencil toolchain from development to production

Notable Security Findings:

• Identified a potential directory traversal vulnerability in the dev server (CVE-pending)
• Highlighted critical risks around environment variable exposure in client-side bundles
• Documented XSS risks specific to Stencil's JSX implementation and SSR capabilities

This security policy will serve as a foundation for ongoing security improvements and help establish Stencil as a security-conscious framework in the web components ecosystem.