dotnet · tanakaryotadayo-wq · Mar 30, 2026 · Copilot · Mar 30, 2026 · Copilot
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 5.1.x   | :white_check_mark: |
+| 5.0.x   | :x:                |
+| 4.0.x   | :white_check_mark: |
+| < 4.0   | :x:                |
+
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
-
-| Version | Supported          |
-| ------- | ------------------ |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
+The vscode-dotnet-runtime extensions and library do not currently maintain a
+formal matrix of supported historical versions.
+
+Security fixes and other critical patches are generally applied only to the
+latest released version of each package in this repository. To receive
+security updates, use the most recent published versions from the Visual
+Studio Code Marketplace or npm.
+
+If you must use an older version, you are responsible for reviewing changes
+and backporting any fixes you require.
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
-
-| Version | Supported          |
-| ------- | ------------------ |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
+Only the latest released versions of these extensions, as published on the Visual Studio Code Marketplace, are supported with security updates.
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
-
-| Version | Supported          |
-| ------- | ------------------ |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
+The vscode-dotnet-runtime extensions and library do not currently maintain a
+formal matrix of supported historical versions.
+
+Security fixes and other critical patches are generally applied only to the
+latest released version of each package in this repository. To receive
+security updates, use the most recent published versions from the Visual
+Studio Code Marketplace or npm.
+
+If you must use an older version, you are responsible for reviewing changes
+and backporting any fixes you require.
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
-
-| Version | Supported          |
-| ------- | ------------------ |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
+Only the latest released versions of these extensions, as published on the Visual Studio Code Marketplace, are supported with security updates.
+## Reporting a Vulnerability
+
+Use this section to tell people how to report a vulnerability.
+
+Tell them where to go, how often they can expect to get an update on a
+reported vulnerability, what to expect if the vulnerability is accepted or
+declined, etc.
-Use this section to tell people how to report a vulnerability.
-
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+Security vulnerabilities should be reported privately to the Microsoft Security Response Center (MSRC). Please do not file public GitHub issues or discuss potential vulnerabilities in public forums.
+
+If you believe you have found a security vulnerability in this repository or any other Microsoft product or service, please contact MSRC using one of the following methods:
+
+- Email: [secure@microsoft.com](mailto:secure@microsoft.com)
+- Web form: <https://msrc.microsoft.com/create-report>
+
+Include as much detail as possible in your report (such as a description of the issue, steps to reproduce, and any relevant logs or proof of concept). MSRC will review your report, contact you with a case number, and work with the appropriate product team to investigate and remediate the issue in accordance with Microsoft’s security response processes.
-Use this section to tell people how to report a vulnerability.
-
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+Security vulnerabilities should be reported privately to the Microsoft Security Response Center (MSRC). Please do not file public GitHub issues or discuss potential vulnerabilities in public forums.
+
+If you believe you have found a security vulnerability in this repository or any other Microsoft product or service, please contact MSRC using one of the following methods:
+
+- Email: [secure@microsoft.com](mailto:secure@microsoft.com)
+- Web form: <https://msrc.microsoft.com/create-report>
+
+Include as much detail as possible in your report (such as a description of the issue, steps to reproduce, and any relevant logs or proof of concept). MSRC will review your report, contact you with a case number, and work with the appropriate product team to investigate and remediate the issue in accordance with Microsoft’s security response processes.