docs: add security policy

thi-ng · Nov 26, 2024 · a214ded · a214ded
1 parent 85e2f09
commit a214ded
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,20 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If there are any vulnerabilities in any of the projects part of the
+**thi.ng/umbrella** monorepo, please **report them**! Thank you!
+
+1. Send an email to `security at thi.ng`.
+2. Describe the vulnerability.
+
+   If you have a fix, that is most welcome — please attach or summarize it in your message!
+
+3. We will evaluate the vulnerability and, if necessary, release a fix or
+mitigating steps to address it. We will contact you to let you know the outcome,
+and will credit you in the report.
+
+   Please **do not disclose the vulnerability publicly** until a fix is released!
+
+4. Once we have either a) published a fix, or b) declined to address the
+vulnerability for whatever reason, you are free to publicly disclose it.