From b38992765340fe651a4002e2ea99ebde51ec95c9 Mon Sep 17 00:00:00 2001
From: Laurent Bossavit <laurent.git@bossavit.com>
Date: Mon, 14 Apr 2025 10:18:40 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=93=9D(security)=20add=20a=20basic=20secu?=
 =?UTF-8?q?rity=20disclosure=20policy?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is copied from Docs with only minor changes.
---
 SECURITY.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..b1b90f6
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Security is very important to us.
+
+If you have any issue regarding security, please disclose the information responsibly submiting [this form](https://vdp.numerique.gouv.fr/p/Send-a-report?lang=en) and not by creating an issue on the repository. You can also email us at support-regie@numerique.gouv.fr
+
+We appreciate your effort to make People more secure.
+
+## Vulnerability disclosure policy
+
+Working with security issues in an open source project can be challenging, as we are required to disclose potential problems that could be exploited by attackers. With this in mind, our security fix policy is as follows:
+
+1. The Maintainers team will handle the fix as usual (Pull Request,
+release).
+2. In the release notes, we will include the identification numbers from the
+GitHub Advisory Database (GHSA) and, if applicable, the Common Vulnerabilities
+and Exposures (CVE) identifier for the vulnerability.
+3. Once this grace period has passed, we will publish the vulnerability.
+
+By adhering to this security policy, we aim to address security concerns
+effectively and responsibly in our open source software project.