security: Add SECURITY.md with responsible disclosure policy

OpenCare-Core stores sensitive patient records, medical histories, vital signs, and PHI (Protected Health Information). The repository contains no SECURITY.md and no responsible disclosure channel. Security researchers who discover vulnerabilities have no safe way to report them privately.