docs: update chatwoot VDP guidelines (#2740)

README.md

@@ -91,7 +91,10 @@ Follow this [link](https://www.chatwoot.com/docs/environment-variables) to under
 Please follow [deployment architecture guide](https://www.chatwoot.com/docs/deployment/architecture) to deploy with Docker or Caprover.
 
 ---
+#### Security
+Looking to report a vulnerability? Please refer our [SECURITY.md](./SECURITY.md) file.
 
+---
 ### Contributors ✨
 
 Thanks goes to all these [wonderful people](https://www.chatwoot.com/docs/contributors):

SECURITY.md

@@ -1,8 +1,31 @@
 # Security Policy
+Chatwoot is looking forward to working with security researchers across the world to keep Chatwoot and our users safe. If you have found an issue in our systems/applications, please reach out to us.
 
 ## Reporting a Vulnerability
 
 We use [huntr.dev](https://huntr.dev/) for security issues that affect our project. If you believe you have found a vulnerability, please disclose it via this [form](https://huntr.dev/bounties/disclose). 
+
 This will enable us to review the vulnerability, fix it promptly, and reward you for your efforts.
 
-If you have any questions about the process, feel free to reach out to hello@chatwoot.com.
+If you have any questions about the process, feel free to reach out to security@chatwoot.com.
+
+
+## Out of scope
+
+Please do not perform testing against Chatwoot production services. Use a self hosted instance to perform tests.
+
+We consider the following to be out of scope, though there may be exceptions.
+
+- Missing HTTP security headers
+- Self XSS
+- HTTP Host Header XSS without working proof-of-concept
+- Incomplete/Missing SPF/DKIM
+- Denial of Service attacks
+- DNSSEC
+- Social Engineering attacks
+
+If you are not sure about the scope, please create a report.
+
+## Thanks
+
+Thank you for keeping Chatwoot and our users safe. 🙇