From a3a087a858ad52f266f44f1c7dab25207a465eb4 Mon Sep 17 00:00:00 2001
From: Jay <finallyjay@gmail.com>
Date: Wed, 8 Apr 2026 17:45:18 +0200
Subject: [PATCH] [Repo] feat: Add security policy

Provides instructions for responsibly reporting
vulnerabilities via private advisory.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 SECURITY.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..2d114df
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project,
+please report it responsibly.
+
+**Do not open a public issue.** Instead, contact the
+maintainer directly by email or through a
+[private security advisory](https://github.com/finallyjay/selfhosted-docker-services/security/advisories/new).
+
+Please include:
+
+- A description of the vulnerability
+- Steps to reproduce the issue
+- The affected service(s) and version(s)
+
+You can expect an initial response within 72 hours.
+
+## Scope
+
+This policy applies to the Docker Compose configurations
+and related files in this repository. Vulnerabilities in
+upstream container images should be reported to their
+respective maintainers.
+
+## Supported Versions
+
+Only the latest version on the `main` branch is supported.