From 55827a9011f851331ddb59637405878f7f11db51 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 12 Dec 2023 15:02:05 +0800
Subject: [PATCH] chore: add security policy to repository

---
 README.md   |  1 +
 SECURITY.md | 15 +++++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index 1260375..17d2873 100644
--- a/README.md
+++ b/README.md
@@ -71,6 +71,7 @@ Configure the repository:
     * Dependabot security updates
         * Secret scanning
             * Push protection
+    * Private vulnerability reporting
 
 1. Go to repository Settings > Actions > General:
 
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..3059784
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,15 @@
+# Security Policy
+
+## Supported Versions
+
+Please do not use older minor versions, as these are not supported.
+Only the latest minor version will receive patch releases.
+
+## Reporting a Vulnerability
+
+To report a security issue, please [privately report a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability) through GitHub.
+If you do not have a GitHub account, please email security@example.com with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
+We will endeavour to respond within 3 working days of your email.
+
+If an issue is confirmed as a vulnerability, we will open a Security Advisory.
+This project follows a 30 day disclosure timeline.