docs(security): update policy for OpenSSF badge

Update supported versions to 1.16.x, add response process with
7-day acknowledgment timeline, reporter credit policy, and secure
development practices section.

Signed-off-by: Ramon Roche <mrpollo@gmail.com>

SECURITY.md

@@ -2,24 +2,40 @@
 
 ## Supported Versions
 
-The following is a list of versions the development team is currently supporting.
+The following versions receive security updates:
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 1.4.x   | :white_check_mark: |
-| 1.3.3   | :white_check_mark: |
-| < 1.3   | :x:                |
+| 1.16.x  | :white_check_mark: |
+| < 1.16  | :x:                |
 
 ## Reporting a Vulnerability
 
-We currently only receive security vulnerability reports through GitHub.
+We receive security vulnerability reports through GitHub Security Advisories.
 
-To begin a report, please go to the top-level repository, for example, PX4/PX4-Autopilot,
-and click on the Security tab. If you are on mobile, click the ... dropdown menu, and then click Security.
+To begin a report, go to the [PX4/PX4-Autopilot](https://github.com/PX4/PX4-Autopilot) repository
+and click on the **Security** tab. If you are on mobile, click the **...** dropdown menu, then click **Security**.
 
-Click Report a Vulnerability to open the advisory form. Fill in the advisory details form.
-Make sure your title is descriptive, and the development team can find all of the relevant details needed
-to verify on the description box. We recommend you add as much data as possible. We welcome logs,
-screenshots, photos, and videos, anything that can help us verify and identify the issues being reported.
+Click **Report a Vulnerability** to open the advisory form. Fill in the advisory details form.
+Make sure your title is descriptive and the description contains all relevant details needed
+to verify the issue. We welcome logs, screenshots, photos, and videos.
 
-At the bottom of the form, click Submit report. The maintainer team will be notified and will get back to you ASAP.
+At the bottom of the form, click **Submit report**.
+
+## Response Process
+
+1. **Acknowledgment**: The maintainer team will acknowledge your report within **7 days**.
+2. **Triage**: We will assess severity and impact and communicate next steps.
+3. **Disclosure**: We coordinate disclosure with the reporter. We follow responsible disclosure practices and will credit reporters in the advisory unless they request anonymity.
+
+If you do not receive acknowledgment within 7 days, please follow up by emailing the [release managers](MAINTAINERS.md).
+
+## Secure Development Practices
+
+The PX4 development team applies the following practices to reduce security risk:
+
+- **Code review**: All changes require peer review before merging.
+- **Static analysis**: [clang-tidy](https://clang.llvm.org/extra/clang-tidy/) runs on every pull request with warnings treated as errors.
+- **Fuzzing**: A daily fuzzing pipeline using [Google fuzztest](https://github.com/google/fuzztest) tests MAVLink message handling and GNSS driver protocol parsing.
+- **Input validation**: All external inputs (MAVLink messages, RC signals, sensor data) are validated against expected ranges before use.
+- **Compiler hardening**: Builds use `-Wall -Werror`, stack protectors, and other hardening flags where supported by the target platform.