Add SECURITY.md with vulnerability reporting guidelines

Introduces a security policy describing how to responsibly report memory safety and other security vulnerabilities.
2026-03-22 05:00:17 +00:00 · 2026-02-27 20:49:16 +05:30 · 2026-02-27 20:49:16 +05:30 · a3d69ae528
commit a3d69ae528
parent 5f9d44f451
1 changed files with 38 additions and 0 deletions
--- a/security.md
+++ b/security.md
@ -0,0 +1,38 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in pocketpy, please report it responsibly.
+
+Do NOT open a public GitHub issue for security-sensitive bugs.
+
+Instead, report the issue privately by contacting the maintainers with:
+
+- A clear description of the vulnerability
+- Steps to reproduce the issue
+- A minimal proof-of-concept (if possible)
+- Environment details (OS, compiler, version, build flags)
+
+Examples of security issues include:
+
+- Heap-buffer-overflow
+- Stack-buffer-overflow
+- Use-after-free
+- Out-of-bounds read/write
+- Crashes triggered by crafted input
+
+## Response Process
+
+After receiving a report, maintainers may:
+
+1. Confirm and reproduce the issue
+2. Investigate and prepare a fix
+3. Release a patched version
+4. Publicly disclose the issue after it is resolved
+
+Please allow reasonable time for investigation and remediation before public disclosure.
+
+## Supported Versions
+
+Security fixes are typically applied to the latest development version.
+Older versions may not receive patches.