From 484ca410c769e017289c6fb109c051d4a9486beb Mon Sep 17 00:00:00 2001 From: DankerMu Date: Tue, 27 Jan 2026 08:20:28 +0800 Subject: [PATCH] Add SECURITY.md vulnerability reporting policy --- SECURITY.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..cf1e4f05 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,24 @@ +# Security Policy + +## Reporting a Vulnerability + +Please **do not** open a public GitHub issue for security vulnerabilities. + +Preferred reporting channels: + +1. **GitHub Security Advisories** (if enabled): use the repository’s “Report a vulnerability” flow. +2. **Email**: send details to `ray@vectify.ai`. + +Include as much of the following as possible: +- A clear description of the issue and potential impact +- Steps to reproduce (PoC, request/response samples, screenshots where relevant) +- Affected versions/commit and environment details +- Any suggested remediation + +## Response Expectations + +We aim to acknowledge reports within **3 business days** and will coordinate a fix/patch timeline based on severity and reproducibility. + +## Bug Bounty + +We do not currently run a formal bug bounty program. Valid reports may still be acknowledged in release notes or the security advisory, at our discretion.