From 809f6be73f350423052b0eb40e2862e8b0c40c2d Mon Sep 17 00:00:00 2001 From: Rhuan Barreto Date: Wed, 4 Mar 2026 23:34:51 +0100 Subject: [PATCH] docs: add security policy Add SECURITY.md so GitHub surfaces the security policy tab. Directs vulnerability reports to GitHub Security Advisories with expected response timelines and coordinated disclosure. Co-Authored-By: Claude Opus 4.6 --- SECURITY.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..9adaa40f --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,32 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| latest | :white_check_mark: | + +Only the latest release receives security updates. We recommend always running the most recent version. + +## Reporting a Vulnerability + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, report them via [GitHub Security Advisories](https://github.com/archgate/cli/security/advisories/new). + +Include as much of the following as possible: + +- A description of the vulnerability +- Steps to reproduce the issue +- Affected versions +- Any potential impact + +## Response Timeline + +- **Acknowledgment:** Within 3 business days of your report. +- **Assessment:** We will evaluate severity and impact within 7 business days. +- **Fix:** Critical vulnerabilities will be patched as soon as possible. A fix timeline will be communicated in the assessment response. + +## Disclosure Policy + +We follow coordinated disclosure. We ask that you give us reasonable time to address the issue before any public disclosure.