docs: Add Security Policy and section

SECURITY.md

@@ -0,0 +1,27 @@
+# Security Policy
+
+The KusionStack is a CNCF incubating project, and we follow the [CNCF Security Policy](https://contribute.cncf.io/projects/best-practices/security/). And we take the security of KusionStack very seriously. If you've discovered a security vulnerability, we appreciate your help in disclosing it to us responsibly.
+
+## Reporting a Vulnerability
+
+To report a vulnerability, please follow these steps:
+
+1. Go to the **Security** tab in the relevant repository on GitHub.
+2. Click on the **Advisories** tab.
+3. Click on **Report a vulnerability**.
+
+Alternatively, you can send an email to [antsrc@service.alipay.com](mailto:antsrc@service.alipay.com) with a description of the issue, the steps to reproduce it, and the potential impact.
+
+You can expect a response within 24 hours to acknowledge that we've received your report. If you don't hear back in that time, please reach out to a committer directly to confirm we received your message.
+
+## Security Response Process
+
+Once a committer confirms the report is valid, they will create a draft security advisory on GitHub. We'll discuss the issue with the relevant maintainers and the reporter(s) in private.
+
+If you'd like to participate in the discussion, please provide your GitHub username so we can invite you. Otherwise, you can ask to be kept updated via email.
+
+If we accept the vulnerability, we'll work with you to determine a timeline for developing a patch, disclosing the issue publicly, and releasing the fix.
+
+## Scope
+
+We prioritize vulnerabilities that could compromise data confidentiality, allow privilege escalation, or affect data integrity. Availability issues such as Denial of Service (DoS) and resource exhaustion are also taken seriously.

profile/README.md

@@ -14,7 +14,7 @@ As world's most promising Kubernetes Explorer/Kubernetes Dashboard, our end goal
 
 [Kusion](https://github.com/KusionStack/kusion) is an intent-driven [Platform Orchestrator](https://internaldeveloperplatform.org/platform-orchestrators/), which sits at the core of an [Internal Developer Platform](https://internaldeveloperplatform.org/what-is-an-internal-developer-platform/). With Kusion you can enhance self-service developer experience, by giving developers the ability to deploy applications with all dependencies to all environments, with a single application specification - [AppConfiguration](https://www.kusionstack.io/docs/next/concepts/app-configuration).
 
-Inspired by the phrase **Fusion on Kubernetes**, Kusion aims to simplify the process of deploying applications into your infrastructure and helps platform teams standardize the whole deployment process. 
+Inspired by the phrase **Fusion on Kubernetes**, Kusion aims to simplify the process of deploying applications into your infrastructure and helps platform teams standardize the whole deployment process.
 
 ## Kuperator
 
@@ -33,3 +33,7 @@ We regularly post about technical practice and thinking we have solved and provi
 ## KusionStack Community Code of Conduct
 
 KusionStack follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
+
+## Security
+
+KusionStack takes security seriously. If you discover a security vulnerability in any of our projects, please refer to our [Security Policy](https://github.com/KusionStack/.github/blob/main/SECURITY.md) for reporting guidelines. We will respond to all reports as quickly as possible.