Revise GEMC Security Policy document

maureeungaro · web-flow · commit fee84d0ad181 · 2025-08-25T17:00:11.000-04:00
Updated the security policy document to clarify contact information, supported versions, vulnerability reporting process, and scope of support.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,34 @@
+# GEMC Security Policy
+
+**Contact:** gemc@jlab.org  
+**Do not open public issues for security bugs.**
+
+## Supported Versions
+
+We provide security fixes for:
+- The default branch (next release)
+
+| Version | Supported          |
+| ------- | ------------------ |
+| dev     | :white_check_mark: |
+| 1.0     | :x:                |
+
+
+## Report a Vulnerability
+Email **gemc@jlab.org** with:
+- What the issue is and why it matters
+- Steps to reproduce (a minimal PoC if possible)
+- Affected version / commit and environment
+
+If you prefer to use GitHub’s private reporting (if enabled), use **Security → Report a vulnerability**.
+
+## What to Expect
+- We’ll acknowledge your report and start triage as soon as we can.
+- We’ll work on a fix and coordinate a release or mitigation.
+- We’ll credit you (name or handle) if you want.
+
+## Scope
+- In scope: GEMC code in the official repositories and our published container images.
+- Out of scope: vulnerabilities that are only in third-party dependencies (please report upstream; you can CC us).
+
+Thanks for helping keep GEMC users safe.
