From fdaa0159ab7276ae3288834392117f59199b132e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A0nh=20Nh=C3=A2n?=
 <60387689+NhanAZ@users.noreply.github.com>
Date: Wed, 10 Jun 2026 02:47:47 +0700
Subject: [PATCH] docs: add security policy

---
 README.md   |  4 ++++
 SECURITY.md | 29 +++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index d115ce9..116cf62 100644
--- a/README.md
+++ b/README.md
@@ -116,6 +116,10 @@ It complements them by catching risks specific to AI-assisted development - hall
 
 See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, code standards, and how to add new rules.
 
+## Security
+
+Report suspected vulnerabilities privately by following [SECURITY.md](SECURITY.md).
+
 ## License
 
 [MIT](LICENSE)
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..c666eda
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+## Supported versions
+
+Security fixes are provided for the latest released minor version.
+
+| Version | Supported |
+|---------|-----------|
+| 0.3.x   | Yes       |
+| < 0.3   | No        |
+
+## Reporting a vulnerability
+
+Do not report suspected vulnerabilities in a public issue.
+
+Use [GitHub private vulnerability reporting](https://github.com/NhanAZ/OpenPolicyKit/security/advisories/new)
+to submit a report. Include:
+
+- A description of the vulnerability and its potential impact.
+- The affected version, operating system, and Node.js version.
+- Reproduction steps or a minimal proof of concept.
+- Any known mitigations or workarounds.
+
+Maintainers aim to acknowledge reports within three business days and
+provide an initial assessment within seven business days. Resolution
+timelines depend on severity and complexity.
+
+Please allow maintainers reasonable time to investigate and release a
+fix before public disclosure.