diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..d765d3b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,18 @@ +# Security Policy + +## Reporting a vulnerability + +Please **do not open a public issue** for security problems — a public issue is a public exploit. + +- **Preferred:** use GitHub's private vulnerability reporting — go to the **Security** tab of this repository and click **"Report a vulnerability"**. +- **Or email:** aryayt55@gmail.com with `[SECURITY]` in the subject. + +Please include steps to reproduce, the affected version/commit, and the impact you believe it has. A proof-of-concept helps but is not required. + +## What to expect + +This project is maintained by a solo developer. I'll acknowledge your report within **7 days** and keep you updated as I triage and fix. Please give me a reasonable window to ship a fix before public disclosure — I'll credit you in the advisory unless you prefer otherwise. + +## Scope + +The latest release and the default branch are in scope. Dependencies are handled via Dependabot; if the issue is in an upstream dependency, reporting it upstream is usually faster, but feel free to flag it here too.