From 9632b628135cfd3a968ce6e236ea649d25327b7f Mon Sep 17 00:00:00 2001
From: David Sarkisyan <281478990+srkyn@users.noreply.github.com>
Date: Fri, 22 May 2026 11:12:56 -0400
Subject: [PATCH] Add security policy

---
 README.md   |  2 ++
 SECURITY.md | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index c8ce502..010431d 100644
--- a/README.md
+++ b/README.md
@@ -303,3 +303,5 @@ The goal is practical: reduce noisy IAM alerts by adding identity context before
 ## Disclaimer
 
 All data is simulated. This project is defensive only. It does not collect credentials, use real API keys, connect to production tenants, or perform offensive exploitation.
+
+For public reporting boundaries and safe sample-data guidance, see [SECURITY.md](SECURITY.md).
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..a7de88d
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,34 @@
+# Security Policy
+
+IdentityRiskGraph is a defensive portfolio project that uses simulated identity data, sample CloudTrail-style events, and optional public GitHub repository metadata.
+
+## Reporting
+
+If you notice a safety issue in the public content, open a GitHub issue with:
+
+- the affected file or feature
+- a short description of the concern
+- sanitized reproduction details, if relevant
+
+Do not include real credentials, tokens, private logs, customer data, tenant IDs, AWS account IDs, internal hostnames, private IP addresses, or screenshots from live environments.
+
+## Scope
+
+In scope:
+
+- accidental sensitive data exposure in committed samples
+- misleading detection or risk-scoring wording
+- unsafe public API usage patterns
+- broken examples that could confuse defensive analysis
+
+Out of scope:
+
+- requests to analyze private logs publicly
+- offensive expansion beyond defensive detection context
+- environment-specific allowlists or proprietary detections
+
+## Safe Usage
+
+The GitHub API adapter reads public repository metadata and prints local review notes. It does not store responses, write to GitHub, inspect private code, or treat metadata as a security verdict.
+
+All included IAM, device, event, and CloudTrail data is simulated and should not be treated as production evidence.