docs: add repository security policy (#97)

anand-testcompare · web-flow · commit 27f062ff3331 · 2026-02-26T00:21:40.000-06:00
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,30 @@
+# Security Policy
+
+## Reporting A Vulnerability
+
+Please do not open public issues for security problems.
+
+Use GitHub private vulnerability reporting:
+
+- Create a private advisory: `https://github.com/shpitdev/cable-intel/security/advisories/new`
+- Include repro steps, impact, and any known fix/workaround.
+
+If private advisory creation is unavailable for your access level, contact a maintainer directly and mark the message as `SECURITY`.
+
+## Scope
+
+This policy covers:
+
+- Source code in this repository
+- CI/CD workflows and repository automation
+- Credentials/secrets exposure risks tied to this repository
+
+## Response Targets
+
+- Initial triage: within 3 business days
+- Status update after validation: within 7 business days
+
+## Remediation
+
+Validated vulnerabilities are prioritized by impact and fixed as quickly as practical.
+When possible, fixes are released before public disclosure.
