From 6cbd95993a040c6c96c84e7b72c46dae322a1b0b Mon Sep 17 00:00:00 2001
From: Kelly Mears <developers@tinypixel.dev>
Date: Mon, 14 Aug 2023 21:19:53 -0400
Subject: [PATCH] =?UTF-8?q?=E2=9A=99=EF=B8=8F=20internal(none):=20security?=
 =?UTF-8?q?.md=20(#2408)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

add security.md

## Type of change

**NONE: internal change**
---
 SECURITY.md | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..8ac5bd969d
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,7 @@
+# Reporting Security Issues
+
+If you believe you have found a security vulnerability in bud.js, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.
+
+While we take security very seriously it is important to remember that nearly all bud.js dependencies are run in local developer environments only, and even more bud.js dependencies are only used within the context of this repository. In the context of a build tool, many "vulenrabilities" are safe to ignore. Runtime vulnerabilities will always be taken very seriously and handled with urgency.
+
+Check out [npm audit: Broken by Design by Dan Abramov](https://overreacted.io/npm-audit-broken-by-design/) if you're interested in our thinking around the severity of non runtime security issues.