Merge pull request #190 from GSA/add-security-policy

akf · web-flow · commit 151d03cf6c6a · 2026-03-13T09:50:36.000-07:00
Add SECURITY.md
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,32 @@
+# Security Policy
+
+As a U.S. Government agency, the General Services Administration (GSA) takes
+seriously our responsibility to protect the public's information, including
+financial and personal information, from unwarranted disclosure.
+
+## Reporting a Vulnerability
+
+Services operated by the U.S. General Services Administration (GSA)
+are covered by the **GSA Vulnerability Disclosure Program (VDP)**.
+
+See the [GSA Vulnerability Disclosure Policy](https://www.gsa.gov/vulnerability-disclosure-policy)
+at <https://www.gsa.gov/vulnerability-disclosure-policy> for details including:
+
+* How to submit a report if you believe you have discovered a vulnerability.
+* Bug bounty scope.
+* GSA's coordinated disclosure policy.
+* Information on how you may conduct security research on GSA developed
+  software and systems.
+* Important legal and policy guidance.
+
+## Supported Versions
+
+Please note that only certain branches are supported with security updates.
+
+| Version (Branch) | Supported          |
+| ---------------- | ------------------ |
+| main             | :white_check_mark: |
+| other            | :x:                |
+
+When using this code or reporting vulnerabilities please only use supported
+versions.
