NhanAZ-Drops · NhanAZ · Jun 9, 2026 · Jun 9, 2026
diff --git a/README.md b/README.md
@@ -116,6 +116,10 @@ It complements them by catching risks specific to AI-assisted development - hall
 
 See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, code standards, and how to add new rules.
 
+## Security
+
+Report suspected vulnerabilities privately by following [SECURITY.md](SECURITY.md).
+
 ## License
 
 [MIT](LICENSE)
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+## Supported versions
+
+Security fixes are provided for the latest released minor version.
+
+| Version | Supported |
+|---------|-----------|
+| 0.3.x   | Yes       |
+| < 0.3   | No        |
+
+## Reporting a vulnerability
+
+Do not report suspected vulnerabilities in a public issue.
+
+Use [GitHub private vulnerability reporting](https://github.com/NhanAZ/OpenPolicyKit/security/advisories/new)
+to submit a report. Include:
+
+- A description of the vulnerability and its potential impact.
+- The affected version, operating system, and Node.js version.
+- Reproduction steps or a minimal proof of concept.
+- Any known mitigations or workarounds.
+
+Maintainers aim to acknowledge reports within three business days and
+provide an initial assessment within seven business days. Resolution
+timelines depend on severity and complexity.
+
+Please allow maintainers reasonable time to investigate and release a
+fix before public disclosure.