From 6ce49cb723f4a02f2fd4c8db96f9269565f1043f Mon Sep 17 00:00:00 2001 From: Greg Bowler Date: Mon, 21 Apr 2025 15:02:59 +0100 Subject: [PATCH] Create SECURITY.md --- SECURITY.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..ee9f073 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,25 @@ +# Security Policy + +## Supported Versions + +All MAJOR versions of this package will receive security updates for **two years after the next major version is released**. For example, if version 4.0.0 is released, version 3.x will continue receiving security updates for two years from that date. + +Versions outside this window are considered end-of-life and will no longer receive updates, even for critical vulnerabilities. + +## Reporting a Vulnerability + +If you discover a security issue, please report it using GitHub's [**"Report a vulnerability"** feature](../../security/advisories/new) under the **Security** tab of this repository. + +When reporting, please include the following information to help us investigate quickly and thoroughly: + +- A clear description of the vulnerability and what part of the code it affects. +- Steps to reproduce the issue, ideally including: + - The affected version + - A code snippet or minimal test case + - The expected vs. actual behavior +- If applicable, an explanation of potential impact or severity. +- Any suggested mitigations or patches (optional, but appreciated). + +Please do not disclose the vulnerability publicly until we've had a chance to investigate and publish a fix. + +We appreciate responsible disclosure and are committed to resolving issues promptly.