docs: Add security policy

humanwhocodes · Feb 19, 2025 · d522e8e · d522e8e
1 parent 257b7b5
commit d522e8e
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -0,0 +1,22 @@
+# Security Policy
+
+## Supported Versions
+
+Security updates are applied only to the most recent releases.
+
+## Reporting a Vulnerability
+
+To securely report a vulnerability, please [open an advisory on GitHub][advisory]. This form is also accessible when [submitting a new issue][issue].
+
+## Vulnerability Process
+
+1. Your report will be acknowledged within two business days.
+2. The team will investigate and update the issue with relevant information.
+3. If the team does not confirm the report, no further action will be taken and the issue will be closed.
+4. If the team confirms the report, the team will take action to fix it immediately:
+    1. Commits will be handled in a private repository for review and testing.
+    2. Release a new patch version from the private repository.
+    3. Notify Tidelift about the vulnerability.
+
+[advisory]: https://github.com/humanwhocodes/humanfs/security/advisories/new
+[issue]: https://github.com/humanwhocodes/humanfs/issues/new/choose