Hi maintainers — I'm @ouwibo (ouwibo@gmail.com), a security researcher who's been spending time with the ATXP stack.

Because ATXP touches wallets, identity, and live payment rails, I noticed the repo doesn't yet have a SECURITY.md and there's no obvious private channel for researchers to report issues responsibly. This PR adds a standard policy so that any future findings — from this community or from your own users — have a clear path that isn't a public issue.

What this PR does

• Adds SECURITY.md to the repo root.
• Suggests security@atxp.ai as the preferred contact, with support@atxp.ai as fallback (since I couldn't find a security@ listed anywhere).
• Documents scope (this repo, the SDK/CLI, the backend APIs, wallet custody, payment routing) and clear out-of-scope items.
• Sets a 90-day coordinated disclosure window as the default.
• Adds a safe harbor clause for researchers acting in good faith.
• Honestly notes that ATXP doesn't currently run a paid bounty program (so the policy doesn't mislead).

Why now

Live USDC on the payment path means real money exposure if anything in routing / custody / signing has an edge case. Having a published policy:

1. Cuts down public exposure of issues that should be handled privately.
2. Gives users and contributors confidence in the project.
3. Makes it easier for other researchers (not just me) to do the right thing.

I tried to keep the wording neutral and template-friendly — feel free to edit the contact addresses, scope, or timelines to match how the team actually wants to operate. Happy to iterate on this in review.

I'd also like to coordinate privately on a sensitive finding I have. Please reach me at ouwibo@gmail.com or DM @ouwibo.

— @ouwibo