From 25f3c3e1d0229db4f40d3df03fda7bac582fc1a1 Mon Sep 17 00:00:00 2001
From: Kili <mkilijanek@users.noreply.github.com>
Date: Mon, 9 Mar 2026 23:24:16 +0100
Subject: [PATCH] Add security policy (#688)

* Add security policy

* Update SECURITY.md for vulnerability reporting clarity

Clarified instructions for reporting vulnerabilities and updated language regarding security fixes.

---------

Co-authored-by: Sean Whalen <44679+seanthegeek@users.noreply.github.com>
---
 SECURITY.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..a38f850
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+Please do not open a public GitHub issue for an undisclosed security
+vulnerability. Use GitHub private vulnerability reporting in the Security tab of this project instead.
+
+When reporting a vulnerability, include:
+
+- the affected parsedmarc version or commit
+- the component or integration involved
+- clear reproduction details if available
+- potential impact
+- any suggested mitigation or workaround
+
+## Supported versions
+
+Security fixes will be applied to the latest released version and
+the current `master` branch.
+
+Older versions will not receive backported fixes.
+
+## Disclosure process
+
+After a report is received, maintainers can validate the issue, assess impact,
+and coordinate a fix before public disclosure.
+
+Please avoid publishing proof-of-concept details until maintainers have had a
+reasonable opportunity to investigate and release a fix or mitigation.