From 17346b657e871ec804768eed63195b92b5dd64a0 Mon Sep 17 00:00:00 2001
From: Gary Allan <github@gallan.co.uk>
Date: Fri, 1 Oct 2021 21:11:22 +0100
Subject: [PATCH] Feature: Add SECURITY.md and update README.md

Closes #3405
---
 README.md   | 10 +++++++---
 SECURITY.md | 20 ++++++++++++++++++++
 2 files changed, 27 insertions(+), 3 deletions(-)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index 76fe7f6d..485ad41d 100755
--- a/README.md
+++ b/README.md
@@ -32,10 +32,14 @@ the demo page: `Admin / ipamadmin`
 Community maintained docker images are available at https://hub.docker.com/u/phpipam
 
 ## Changelog
-See misc/CHANGELOG
+See [misc/CHANGELOG](misc/CHANGELOG)
 
 ## Roadmap
-See misc/Roadmap
+See [misc/Roadmap](misc/Roadmap)
+
+## Security
+
+See [SECURITY.md](SECURITY.md)
 
 ## Contact
 miha.petkovsek@gmail.com
@@ -46,4 +50,4 @@ that is used for development of phpIPAM and for demo site.
 And also to all users that filed a bug report / feature report and helped with feature testing!
 
 ## License
-phpIPAM is released under the GPL v3 license, see misc/gpl-3.0.txt.
+phpIPAM is released under the GPL v3 license, see [misc/gpl-3.0.txt](misc/gpl-3.0.txt).
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..430594b3
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,20 @@
+# Security Policy
+
+## Supported Versions
+
+The development branch and non-obsolete production branches listed in [README.md](README.md) are supported with security updates.
+
+Issues only in feature testing (non-production) branches should be reported via the GitHub issue tracker.
+
+## Reporting a Vulnerability
+
+Please report suspected security vulnerabilities to the contacts below. We will aim to acknowledge your email within 48 hours but could be longer (holidays etc...)
+
+- Gary Allan (maintainer) github@gallan.co.uk
+- Miha Petkovsek (owner) miha.petkovsek@gmail.com
+
+## Guidelines
+
+CVE numbers will not be provided by the phpIPAM project due to lack of resources to manage their lifecycle. If you require a CVE number please obtain prior to reporting a vulnerability and include with your submission.
+
+Issues that are the responsibility of end-users such as use of weak passwords or choice to deploy with HTTP vs HTTPS will be rejected.
\ No newline at end of file
-- 
GitLab