docs: update SECURITY.md, CONTRIBUTING docs for CNCF/OpenSSF compliance (#3764)

Signed-off-by: EndlessSeeker <1766508902@qq.com>

GOVERNANCE.md

@@ -0,0 +1,50 @@
+# Higress Governance
+
+Higress is a [Cloud Native Computing Foundation (CNCF)](https://www.cncf.io/)
+sandbox project. This document describes the project's open governance model.
+
+All community members must follow the
+[**CNCF Code of Conduct**](https://github.com/cncf/foundation/blob/main/code-of-conduct.md)
+and the project's adopted policy in [`CODE_OF_CONDUCT.md`](./CODE_OF_CONDUCT.md).
+
+## Values
+
+Higress governance is guided by the following values:
+
+- **Openness**: Communication and decision making happen in public channels and repositories whenever possible.
+- **Fairness**: Contributions are evaluated on technical merit rather than company affiliation.
+- **Community First**: Long-term community health has priority over short-term product goals.
+- **Inclusivity**: We welcome contributors from different regions and backgrounds.
+- **Participation**: Project responsibilities are earned through sustained contribution.
+
+## Roles
+
+Higress role definitions are documented in:
+
+- [`MAINTAINERS.md`](./MAINTAINERS.md)
+- [`CODEOWNERS`](./CODEOWNERS)
+- [`CONTRIBUTING_EN.md`](./CONTRIBUTING_EN.md)
+
+## Decision Making
+
+Higress uses **lazy consensus** by default.
+
+When consensus cannot be reached, maintainers may start a vote on a public
+issue or pull request. A simple majority of votes cast decides the outcome.
+
+For governance or project direction changes, maintainers should allow adequate
+time for public discussion before finalizing decisions.
+
+## Governance Updates
+
+Changes to this document are made through pull requests and approved by
+maintainers.
+
+## Security
+
+Security reporting and response follow [`SECURITY.md`](./SECURITY.md).
+
+---
+
+Higress is a [Cloud Native Computing Foundation](https://www.cncf.io/) sandbox
+project.