docs(security): verify GitHub Private Vulnerability Reporting is enabled and documented in SECURITY.md

[WilliamBerryiii]

Summary

Confirm GitHub Private Vulnerability Reporting (PVR) is enabled for the repo, document the reporting flow in SECURITY.md, and ensure CODEOWNERS routes security advisories to a defined responder group.

Background

SECURITY.md exists but does not currently make the GHSA private-reporting flow explicit. Enabling and documenting PVR is a low-effort, high-signal step that the OpenSSF Scorecard Security-Policy check rewards and that materially shortens the time from external report to triage.

Acceptance Criteria

• Settings → Code security → Private vulnerability reporting confirmed enabled (screenshot or gh api evidence captured in the PR)
• SECURITY.md updated with: how to file a private GHSA report, expected response SLO, scope, and out-of-scope items
• CONTRIBUTING.md links to the SECURITY.md PVR section
• CODEOWNERS includes an entry for SECURITY.md so security responders are auto-requested on edits
• OpenSSF Scorecard Security-Policy check at maximum score

Related

• Complements Add hve-core release pipeline with dependency SBOM, signing artifacts, and Scorecard fixes #419 (release pipeline hardening)