Summary

• Add root SECURITY.md, README security entry points, and a concise security documentation index.
• Add docs/security/public-security-reports.md for public security reports, fixed findings, documented findings, non-production-vulnerability reports, duplicates, and related hardening/roadmap items.
• Keep internal issue-management language out of the public docs: the security index is a public resource map, and the reports page describes project status instead of maintainer workflow.
• Route exploitable vulnerabilities to GitHub private security reporting or the listed security contact instead of public GitHub issues.
• Clarify production security boundaries for dev KMS settings, KMS mTLS route enforcement, key derivation behavior, and timestamped KMS env-encryption key verification.
• Align the security model with the README by documenting AMD SEV-SNP as new and experimental while keeping Intel TDX as the production path.

Why

Open public security issues made the repo look riskier than the maintainer position. The PR makes the security posture visible from the README, root security policy, docs index, tutorials, SDK references, and a single searchable reports page. The reports page separates vulnerability-style reports from general security roadmap and hardening work so open design issues do not look like unresolved CVE-style findings.

Validation

• git diff --check
• prek run --files README.md SECURITY.md docs/security/README.md sdk/go/README.md
• prek run --files README.md SECURITY.md docs/security/README.md docs/security/public-security-reports.md
• prek run --files docs/security/public-security-reports.md
• Searched GitHub issue state and maintainer comments for public security reports, including #549-#619, #745, and #746
• Rechecked borderline keyword hits such as #318, #353, #539, #736, #744, #125, #330, and #713; excluded trivial process, support, performance, consolidation, format, and platform capability issues from the page
• Searched for stale security triage links, responsible-disclosure wording, public-vulnerability-reporting wording, internal issue-management wording, and unsafe fallback wording

Follow-up

• Keep Disk encryption key and WireGuard key visible in /proc/PID/cmdline #556, Security: App keys and decrypted env vars written with world-readable permissions #606, secure_time: true can never sync — guest chrony is built without NTS #745, and Harden AMD SEV-SNP KDS collateral fetch (async client, timeouts, caching) #746 open until their hardening or fix work lands.
• After this PR lands, close or update fixed and answered public security issues with links to the public reports page.