From 504db8f45474c771ef1991a78c7bdd8c36f8c958 Mon Sep 17 00:00:00 2001
From: kallal79 <kallal79@users.noreply.github.com>
Date: Fri, 3 Apr 2026 14:42:18 +0530
Subject: [PATCH] Add SECURITY.md vulnerability reporting policy

Implement issue #309 by adding a dedicated security policy for bundler-audit.

Changes:

- Add SECURITY.md with private vulnerability reporting instructions.

- Document email reporting channel and disclosure expectations.

- Add spec/security_policy_spec.rb to verify policy file presence and core guidance.

This commit intentionally contains only security-policy related files.
---
 SECURITY.md                  | 32 ++++++++++++++++++++++++++++++++
 spec/security_policy_spec.rb | 22 ++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 SECURITY.md
 create mode 100644 spec/security_policy_spec.rb

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..a0eccb90
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,32 @@
+# Security Policy
+
+If you discover a security vulnerability in bundler-audit, please report it
+privately.
+
+## Reporting A Vulnerability
+
+- Email: postmodern.mod3@gmail.com
+- Subject: "[bundler-audit] Security vulnerability report"
+
+Please include:
+
+- A clear description of the issue and impact.
+- Steps to reproduce or a proof of concept.
+- Affected versions and environment details.
+- Any suggested remediation, if known.
+
+Do not open a public GitHub issue for suspected vulnerabilities.
+
+## Encryption
+
+If you want to send encrypted details, mention this in your initial email and we
+will coordinate a secure channel.
+
+## Disclosure Process
+
+After confirmation, maintainers will:
+
+1. Acknowledge receipt.
+2. Investigate and validate the report.
+3. Prepare and release a fix.
+4. Coordinate responsible disclosure details.
diff --git a/spec/security_policy_spec.rb b/spec/security_policy_spec.rb
new file mode 100644
index 00000000..056eaa8e
--- /dev/null
+++ b/spec/security_policy_spec.rb
@@ -0,0 +1,22 @@
+require 'spec_helper'
+
+describe 'SECURITY.md' do
+  let(:path) do
+    File.expand_path(File.join(File.dirname(__FILE__), '..', 'SECURITY.md'))
+  end
+
+  let(:content) { File.read(path) }
+
+  it 'exists' do
+    expect(File.file?(path)).to be(true)
+  end
+
+  it 'contains private reporting guidance' do
+    expect(content).to include('Reporting A Vulnerability')
+    expect(content).to include('Do not open a public GitHub issue')
+  end
+
+  it 'contains a security contact channel' do
+    expect(content).to include('postmodern.mod3@gmail.com')
+  end
+end