From 0f7d03b3e3f26709768a63f0133dcc9622b6e8fb Mon Sep 17 00:00:00 2001
From: Maddy Guthridge <hello@maddyguthridge.com>
Date: Thu, 3 Apr 2025 20:10:25 +1100
Subject: [PATCH] Create SECURITY.md

---
 SECURITY.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..527b0c7
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security Policy
+
+## Supported Versions
+
+We only support the latest version of PyHTML, but are open to backporting 
+security fixes to earlier versions on-request.
+
+## Reporting a Vulnerability
+
+We take the security of PyHTML very seriously. If you have discovered a 
+vulnerability in PyHTML, please disclose it responsibly.
+
+Some vulnerabilities we consider to be high-severity are:
+
+* Bugs where HTML, JS or CSS code can be embedded within PyHTML output
+  without making use of the `p.style`, p.DangerousRawHtml` or `p.script`
+  tags.
+* Bugs where the act of rendering PyHTML can trigger remote code execution
+  given seemingly-correct input (eg a `str` or descendant of `p.Tag`).
+
+You should disclose these vulnerabilities by creating a private issue on 
+the project's GitHub repo. We will aim to fix these issues as quickly as 
+possible.