From 3fa59306c2c3e41ca6c4b4f8ff87d78186f7f64c Mon Sep 17 00:00:00 2001
From: Jean-Philippe Brule <jp@svrnty.io>
Date: Thu, 5 Mar 2026 05:59:26 -0500
Subject: [PATCH] docs: add security policy

Co-Authored-By: Svrnty Inc. <eng@svrnty.com>
---
 SECURITY.md | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..91fde16
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,53 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, please report it responsibly.
+
+**Do NOT open a public issue.**
+
+### How to Report
+
+Email: **security@svrnty.com**
+
+Include:
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Any suggested fixes (optional)
+
+### Response Timeline
+
+- **Acknowledgment**: Within 48 hours
+- **Initial Assessment**: Within 7 days
+- **Resolution Target**: Within 30 days (depending on severity)
+
+### What to Expect
+
+1. We will acknowledge receipt of your report
+2. We will investigate and validate the issue
+3. We will work on a fix and coordinate disclosure
+4. We will credit you (if desired) when the fix is released
+
+### Scope
+
+This policy applies to:
+- Code in this repository
+- Dependencies we control
+- Infrastructure we operate
+
+### Out of Scope
+
+- Third-party services or dependencies
+- Social engineering attacks
+- Physical security
+
+## Supported Versions
+
+Security updates are provided for the latest release only.
+
+| Version | Supported |
+|---------|-----------|
+| Latest  | Yes       |
+| Older   | No        |
+