diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..1ff3b0e --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,12 @@ +# Security Policy + +## Reporting a Vulnerability + +If there are any vulnerabilities in `@readme/variable`, don't hesitate to _report them_. + +Please email security@readme.io and describe what you've found. + +- If you have a fix, explain or attach it. +- In the near time, expect a reply with the required steps. Also, there may be a demand for a pull request which include the fixes. + +> You should not disclose the vulnerability publicly if you haven't received an answer in some weeks. If the vulnerability is rejected, you may post it publicly within some hour of rejection, unless the rejection is withdrawn within that time period. After the vulnerability has been fixed, you may disclose the vulnerability details publicly over some days.