From 046714d2838e123030684d994761247d9b24999d Mon Sep 17 00:00:00 2001
From: TheAuditor <228822721+TheAuditorTool@users.noreply.github.com>
Date: Wed, 1 Apr 2026 20:42:38 +0700
Subject: [PATCH] Create SECURITY.md

---
 SECURITY.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..352f85f0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,18 @@
+# Security Policy
+
+## Supported Versions
+Currently, the `master` branch and the latest release of `jdeploy` are receiving security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| Latest  | :white_check_mark: |
+| < Latest| :x:                |
+
+## Reporting a Vulnerability
+
+Because `jdeploy` handles privileged execution contexts, code signing certificates, and downstream installation bundles, security is a top priority. 
+
+If you discover a vulnerability, please **do not open a public issue.** Instead, please report it via [GitHub Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/privately-reporting-a-security-vulnerability) (if enabled by the maintainers) or contact the maintainers directly.
+
+### Disclosure Timeline
+We follow standard industry Coordinated Vulnerability Disclosure (CVD) practices. Reporters are expected to provide a **90-day** window for remediation before public disclosure or CVE publication.