cspotcode · ironbyte-rgb · Jan 28, 2026 · Copilot · Jan 28, 2026 · Copilot
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 5.1.x   | :white_check_mark: |
+| 5.0.x   | :x:                |
+| 4.0.x   | :white_check_mark: |
+| < 4.0   | :x:                |
+
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
+| 0.8.x   | :white_check_mark: |
+| < 0.8.0 | :x:                |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
+| 0.8.x   | :white_check_mark: |
+| < 0.8.0 | :x:                |
+## Reporting a Vulnerability
+
+Use this section to tell people how to report a vulnerability.
+
+Tell them where to go, how often they can expect to get an update on a
+reported vulnerability, what to expect if the vulnerability is accepted or
+declined, etc.
-
-Use this section to tell people how to report a vulnerability.
-
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+## Reporting a Vulnerability
+
+To report a security vulnerability, please contact the maintainers using one of the following private channels:
+
+- **Preferred:** Open a private security advisory via GitHub: go to this repository’s **Security** tab and click **“Report a vulnerability”** (GitHub Security Advisories).
+- **Alternative:** Send an email to **security@project.org** with the subject line `SECURITY VULNERABILITY: <short summary>`.
+
+Please include as much detail as possible, including:
+
+- A description of the issue and its potential impact
+- Steps to reproduce (proof-of-concept code, HTTP requests, configuration details, etc.)
+- Any known workarounds or mitigations
+- The version(s) of the project you tested against
+
+We aim to acknowledge your report within **3 business days** and to provide an initial assessment or request for more information within **7 business days**. During the investigation:
+
+- We will keep you updated at key stages (triage, confirmation, fix in progress, release planning).
+- We may ask you for additional information to help reproduce or better understand the impact.
+- We will make a reasonable effort to develop and release a fix before publicly disclosing details of the vulnerability.
+
+If we determine that the vulnerability is valid, we will:
+
+- Prepare and test a patch or mitigation.
+- Coordinate a release that includes the fix.
+- Publish release notes and, if appropriate, a security advisory describing the impact and remediation steps.
+- Credit you as the reporter (unless you request to remain anonymous).
+
+Please **do not** report security vulnerabilities via public issue trackers, discussion forums, or social media, as this may increase the risk to users before a fix is available.
-
-Use this section to tell people how to report a vulnerability.
-
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+## Reporting a Vulnerability
+
+To report a security vulnerability, please contact the maintainers using one of the following private channels:
+
+- **Preferred:** Open a private security advisory via GitHub: go to this repository’s **Security** tab and click **“Report a vulnerability”** (GitHub Security Advisories).
+- **Alternative:** Send an email to **security@project.org** with the subject line `SECURITY VULNERABILITY: <short summary>`.
+
+Please include as much detail as possible, including:
+
+- A description of the issue and its potential impact
+- Steps to reproduce (proof-of-concept code, HTTP requests, configuration details, etc.)
+- Any known workarounds or mitigations
+- The version(s) of the project you tested against
+
+We aim to acknowledge your report within **3 business days** and to provide an initial assessment or request for more information within **7 business days**. During the investigation:
+
+- We will keep you updated at key stages (triage, confirmation, fix in progress, release planning).
+- We may ask you for additional information to help reproduce or better understand the impact.
+- We will make a reasonable effort to develop and release a fix before publicly disclosing details of the vulnerability.
+
+If we determine that the vulnerability is valid, we will:
+
+- Prepare and test a patch or mitigation.
+- Coordinate a release that includes the fix.
+- Publish release notes and, if appropriate, a security advisory describing the impact and remediation steps.
+- Credit you as the reporter (unless you request to remain anonymous).
+
+Please **do not** report security vulnerabilities via public issue trackers, discussion forums, or social media, as this may increase the risk to users before a fix is available.