docs: Define a security policy.

skyzyx · skyzyx · commit 0e1f3ecdcd42 · 2023-10-15T02:14:21.000-06:00
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,33 @@
+# Security Policy
+
+<!--
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 5.1.x   | :white_check_mark: |
+| 5.0.x   | :x:                |
+| 4.0.x   | :white_check_mark: |
+| < 4.0   | :x:                |
+-->
+
+## Reporting a Vulnerability
+
+If you believe you have found a legitimate security vulnerability, please report it to <ryan@ryanparman.com>.
+
+There is no bounty program, and there are no payments for discovering/reporting security vulnerabilities, but we **all** benefit from software that is more secure. Happy to provide public thanks once the issue has been resolved.
+
+What I need is:
+
+* An explanation of the bug.
+* A minimum viable reproduction case which triggers the issue.
+* What you expected to happen.
+* What actually happened.
+* [OPTIONAL] A suggested patch attached as a .diff file, if you have one.
+
+I don't check my email every day, and I get LOTS of email. It may take me up to a week to discover your message. I will respond as soon as I see your message and confirm that I can reproduce the issue.
+
+Thank you for participating in the _responsible disclosure_ of security vulnerabilities.
