From a3d69ae528bb25671508865ebea84e5504448db3 Mon Sep 17 00:00:00 2001
From: Baala-Murugan-K <baala25harish01@gmail.com>
Date: Fri, 27 Feb 2026 20:49:16 +0530
Subject: [PATCH] Add SECURITY.md with vulnerability reporting guidelines

Introduces a security policy describing how to responsibly report
memory safety and other security vulnerabilities.
---
 security.md | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 security.md

diff --git a/security.md b/security.md
new file mode 100644
index 00000000..e0599cab
--- /dev/null
+++ b/security.md
@@ -0,0 +1,38 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in pocketpy, please report it responsibly.
+
+Do NOT open a public GitHub issue for security-sensitive bugs.
+
+Instead, report the issue privately by contacting the maintainers with:
+
+- A clear description of the vulnerability
+- Steps to reproduce the issue
+- A minimal proof-of-concept (if possible)
+- Environment details (OS, compiler, version, build flags)
+
+Examples of security issues include:
+
+- Heap-buffer-overflow
+- Stack-buffer-overflow
+- Use-after-free
+- Out-of-bounds read/write
+- Crashes triggered by crafted input
+
+## Response Process
+
+After receiving a report, maintainers may:
+
+1. Confirm and reproduce the issue
+2. Investigate and prepare a fix
+3. Release a patched version
+4. Publicly disclose the issue after it is resolved
+
+Please allow reasonable time for investigation and remediation before public disclosure.
+
+## Supported Versions
+
+Security fixes are typically applied to the latest development version.
+Older versions may not receive patches.
\ No newline at end of file