From d183478e0509f4e3a74be5c9135ef6a68eb53125 Mon Sep 17 00:00:00 2001
From: John Boyes <john@agilepathway.co.uk>
Date: Fri, 29 Mar 2024 00:42:45 +0000
Subject: [PATCH] Document security vulnerability reporting process

As suggested by #439
---
 README.md   | 13 +++++++++++++
 SECURITY.md | 27 +++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index dc58805a..3317e57d 100644
--- a/README.md
+++ b/README.md
@@ -249,3 +249,16 @@ The project is [open source](https://opensource.guide/how-to-contribute/) and al
 
 See the [DEPENDENCIES.md](.github/DEPENDENCIES.md)
 
+## Reporting security vulnerabilities
+
+As per our [SECURITY.md](SECURITY.md) we welcome and appreciate security vulnerability reports.
+
+Our policy is for vulnerability reports to be [reported privately](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability).
+
+To report a new vulnerability:
+
+1. go to the [repository's Security Advisories page](https://github.com/agilepathway/label-checker/security/advisories)
+2. click on `Report a vulnerability`
+
+[Tips on creating a great vulnerability report](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories#best-practices)
+
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..bf81c13c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,27 @@
+# Security Policy
+
+## Supported Versions
+
+**Any fixes for security vulnerabilities will be applied to a new release only**, rather than
+retrospectively applied to previous releases.  
+
+The reason for this is that the label checker is a standalone GitHub Action with (purposefully)
+minimal dependencies and therefore very straightforward for consumers to update versions. It's
+**recommended for consumers to pin to the major version of the label checker**, so that they
+automatically get all new backwards compatible updates (major version updates will be extremely
+rare events, one every few years at most, and very possible less frequent even than that).
+
+If a vulnerability is serious enough we may also apply it to previous major versions, but this
+is not guaranteed.
+
+## Reporting a Vulnerability
+
+Our policy is for vulnerability reports to be [reported privately](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability).
+To report a new vulnerability:
+
+1. go to the [repository's Security Advisories page](https://github.com/agilepathway/label-checker/security/advisories)
+2. click on `Report a vulnerability`
+
+[Tips on creating a great vulnerability report](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories#best-practices)
+
+We welcome and appreciate vulnerability reports and will endeavour to respond very swiftly.