diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..09d542f --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,28 @@ +# Security Policy + +## Reporting a Vulnerability + +Please do not report unpatched vulnerabilities through public GitHub issues. + +Preferred: use GitHub private vulnerability reporting for this repository: + +- https://github.com/ContextualWisdomLab/aFIPC/security/advisories/new + +If private reporting is unavailable, open a public issue that only asks for a secure disclosure channel. Do not include exploit details, secrets, personal data, or unreleased vulnerability information in a public issue. + +When reporting, include: + +- affected branch, tag, or commit +- reproduction steps +- impact assessment +- proof-of-concept input or sanitized logs when needed for safe reproduction + +## Response Expectations + +- acknowledgement target: within 7 days +- triage or status update target: within 30 days when a fix is feasible +- coordinated disclosure preferred after a fix or mitigation is available + +## Safe Handling + +Do not send production credentials, private keys, customer data, or copyrighted third-party source documents in reports. Use synthetic fixtures and sanitized evidence whenever possible.