Docs/security guideline (#295)

* Create dependabot.yml

Initial dependabot.yml

* Create SECURITY.md

Guideline for security researcher to report vulnerabilities and communicate the discovery to our project community.

* Update SECURITY.md

Change wording for Discord channel initial contact and added Github Issues guideline.

.github/dependabot.yml

@@ -0,0 +1,41 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "npm" # See documentation for possible values
+    directory: "/api" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    allow:
+      # Allow both direct and indirect updates for all packages
+      - dependency-type: "all"
+    commit-message:
+      prefix: "npm api prod"
+      prefix-development: "npm api dev"
+      include: "scope"
+  - package-ecosystem: "npm" # See documentation for possible values
+    directory: "/client" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    allow:
+      # Allow both direct and indirect updates for all packages
+      - dependency-type: "all"
+    commit-message:
+      prefix: "npm client prod"
+      prefix-development: "npm client dev"
+      include: "scope"
+  - package-ecosystem: "npm" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    allow:
+      # Allow both direct and indirect updates for all packages
+      - dependency-type: "all"
+    commit-message:
+      prefix: "npm all prod"
+      prefix-development: "npm all dev"
+      include: "scope" 
+     

SECURITY.md

@@ -0,0 +1,47 @@
+# Security Policy
+
+## Reporting a Vulnerability
+We take security seriously and appreciate the efforts of security researchers to improve the security of our codebase. 
+If you discover a security vulnerability within our project, please follow these guidelines to report it to us:
+
+**Note: Only report sensible vulnerability report details via Github Security Advisory System. Every other communication channel are public and should be used only to initiate first contact and to initiate a private communication channel.**
+
+### Communication channels
+  - **Option 1: GitHub Security Advisory System**: We encourage you to use GitHub's Security Advisory system to report any security vulnerabilities you find. This allows us to receive vulnerability reports directly through GitHub. You can find more information on how to submit a security advisory report in the [GitHub Security Advisories documentation](https://docs.github.com/en/code-security/getting-started-with-security-vulnerability-alerts/about-github-security-advisories).
+  - **Option 2: Github issues**: You can initiate first contact via Github Issues. **Please note that initial contact through Discord should not include any sensitive details.** 
+  - **Option 3: Discord Server**: You can join our [Discord community](https://discord.gg/NGaa9RPCft) and initiate first contact in the `#issues` channel. **Please note that initial contact through Discord should not include any sensitive details.** 
+
+_After initial contact, we will use this initial contact to establish a private communication channel for further discussion._
+
+
+### When submitting a vulnerability report, please provide us with the following information:
+  - A clear description of the vulnerability, including steps to reproduce it
+  - The version(s) of the project affected by the vulnerability
+  - Any additional information that may be useful for understanding and addressing the issue
+We will make every effort to acknowledge your report within 72 hours and keep you informed of its progress towards resolution.
+
+
+## Security Updates and Patching
+We are committed to maintaining the security of our open-source project named ChatGPT-Clone and promptly addressing any identified vulnerabilities. To ensure the security of our project, we follow these practices:
+  - We prioritize security updates for the current major release of our software.
+  - We actively monitor the GitHub Security Advisory system and the `#security-reports` channel on Discord for any vulnerability reports.
+  - We promptly review and validate reported vulnerabilities and take appropriate actions to address them.
+  - We release security patches and updates in a timely manner to mitigate any identified vulnerabilities.
+
+Please note that as a security-conscious community, we may not always disclose detailed information about security issues until we have determined that doing so would not put our users or the project at risk. We appreciate your understanding and cooperation in these matters.
+
+## Scope
+This security policy applies to the following GitHub repository:
+- Repository: [ChatGPT-Clone](https://github.com/danny-avila/chatgpt-clone)
+
+## Contact
+If you have any questions or concerns regarding the security of our project, please join our [Discord community](https://discord.gg/NGaa9RPCft) and report them in the appropriate channel. 
+You can also reach out to us by [opening an issue](https://github.com/danny-avila/chatgpt-clone/issues/new) on GitHub.
+Please note that the response time may vary depending on the nature and severity of the inquiry.
+
+## Acknowledgments
+We would like to express our gratitude to the security researchers and community members who help us improve the security of our project. Your contributions are invaluable, and we sincerely appreciate your efforts.
+
+## Bug Bounty Program
+We do not currently have a bug bounty program in place. However, we welcome and appreciate any security-related contributions through pull requests (PRs) that address vulnerabilities in our codebase. 
+We believe in the power of collaboration to improve the security of our project and invite you to join us in making it more robust.