Create SECURITY.md

Kvnbbg · web-flow · commit bab222ed94f6 · 2025-02-05T11:06:43.000+01:00
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,76 @@
+# Security Policy
+
+## Table of Contents
+1. [Supported Versions](#supported-versions)
+2. [Reporting a Vulnerability](#reporting-a-vulnerability)
+3. [Disclosure Policy](#disclosure-policy)
+4. [Acknowledgments](#acknowledgments)
+
+---
+
+## Supported Versions
+
+This section outlines the versions of our project that are currently receiving security updates and support.
+
+| Version | Supported          | End of Support |
+| ------- | ------------------ | -------------- |
+| 5.1.x   | :white_check_mark: | N/A            |
+| 5.0.x   | :x:                | 2023-01-01     |
+| 4.0.x   | :white_check_mark: | 2024-01-01     |
+| < 4.0   | :x:                | 2022-01-01     |
+
+**Note:** Only actively supported versions receive critical security patches. Users are strongly encouraged to upgrade to the latest stable version to ensure the highest level of security.
+
+---
+
+## Reporting a Vulnerability
+
+We take security seriously and appreciate your efforts in identifying potential vulnerabilities. If you discover any security issues, please follow these guidelines:
+
+### How to Report:
+1. **Submit a Report via Email:** Send a detailed report to [123kevin@duck.com](mailto:123kevin@duck.com).
+2. **Include the Following Information:**
+   - A clear description of the vulnerability.
+   - Steps to reproduce the issue.
+   - The affected version(s) of the software.
+   - Any tools or configurations used during testing.
+   - Potential impact of the vulnerability.
+
+### What to Expect:
+- **Initial Response:** We aim to acknowledge your report within **48 hours**.
+- **Investigation:** Our team will investigate the issue and provide periodic updates on the progress.
+- **Resolution:** Once the vulnerability is confirmed, we will work diligently to patch it and release an update.
+- **Communication:** You will be informed about the status of the fix and the expected timeline for deployment.
+
+### Acceptance Criteria:
+- Reports must include sufficient information to reproduce the issue.
+- Vulnerabilities must affect a supported version of the software.
+
+### Declined Reports:
+If your report does not meet the acceptance criteria or is deemed invalid, we will notify you with an explanation.
+
+---
+
+## Disclosure Policy
+
+Our goal is to balance transparency with responsible disclosure to protect our users. Here’s how we handle public disclosure:
+
+1. **Internal Review:** Upon receiving a valid report, we conduct an internal review to assess the severity and impact of the vulnerability.
+2. **Patch Development:** We develop and test a fix for the issue.
+3. **Coordinated Release:** Once the fix is ready, we coordinate its release with the reporter (if applicable) to ensure proper communication.
+4. **Public Announcement:** After the fix is deployed, we may publish a security advisory detailing the issue, its resolution, and credits to the reporter (with their permission).
+
+---
+
+## Acknowledgments
+
+We value the contributions of security researchers who help us improve the security of our project. Below is a list of individuals and organizations whose efforts have been instrumental in identifying and resolving vulnerabilities:
+
+- **[Researcher Name]** - Reported a critical vulnerability in version 5.1.2.
+- **[Organization Name]** - Conducted a comprehensive security audit in 2023.
+
+If you would like to be acknowledged for your contribution, please let us know when submitting your report.
+
+---
+
+This policy is subject to change as we continuously improve our processes. For further questions or clarifications, feel free to reach out to our security team at [123kevin@duck.com](mailto:123kevin@duck.com). Thank you for helping us maintain the security of our project! 
