Add a SECURITY.md file. (#150)

sanason · web-flow · commit 33324d01b05f · 2024-12-30T10:27:15.000-06:00
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,27 @@
+# Security Policy
+
+Services operated by the U.S. General Services Administration (GSA)
+are covered by the **GSA Vulnerability Disclosure Policy**. See the [policy page](https://gsa.gov/vulnerability-disclosure-policy) for details including:
+
+* GSA's coordinated disclosure policy.
+* Information on how you may conduct security research on GSA developed
+  software and systems.
+* Important legal and policy guidance.
+
+## Reporting a Vulnerability
+
+Security issues should be reported via GitHub [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability) (requires a GitHub account) or by sending an email to <dap@gsa.gov>.
+
+Security issues may also be reported to the GSA Vulnerability Disclosure Program, following instructions in the policy linked above. However, we ask that you report directly to us as well, to ensure that the issue will be reviewed quickly.
+
+## Supported Versions
+
+Please note that only the most recent major version of the DAP code is supported with security updates.
+
+| Version | Supported          |
+|-------| ------------------ |
+| 8.x   | :white_check_mark: |
+| < 8.0 | :x:                |
+
+When using this code or reporting vulnerabilities, please only use supported
+versions.
