From b2ab9f0d091d6c29166522d2a94902d160f8dc75 Mon Sep 17 00:00:00 2001 From: Arya Teja Rudraraju <124627951+aryateja2106@users.noreply.github.com> Date: Sat, 11 Jul 2026 13:42:53 +0530 Subject: [PATCH] docs: add security policy (private vulnerability reporting + contact) --- SECURITY.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..d765d3b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,18 @@ +# Security Policy + +## Reporting a vulnerability + +Please **do not open a public issue** for security problems — a public issue is a public exploit. + +- **Preferred:** use GitHub's private vulnerability reporting — go to the **Security** tab of this repository and click **"Report a vulnerability"**. +- **Or email:** aryayt55@gmail.com with `[SECURITY]` in the subject. + +Please include steps to reproduce, the affected version/commit, and the impact you believe it has. A proof-of-concept helps but is not required. + +## What to expect + +This project is maintained by a solo developer. I'll acknowledge your report within **7 days** and keep you updated as I triage and fix. Please give me a reasonable window to ship a fix before public disclosure — I'll credit you in the advisory unless you prefer otherwise. + +## Scope + +The latest release and the default branch are in scope. Dependencies are handled via Dependabot; if the issue is in an upstream dependency, reporting it upstream is usually faster, but feel free to flag it here too.