Add SECURITY.md for vulnerability reporting policy (#4357)

pritishpai · web-flow · commit a83e90e6575d · 2025-08-07T19:09:59.000Z
## Changes Add SECURITY.md for vulnerability reporting policy with details about reporting and the email to reach out to. ### Linked issues Resolves #4230 ### Functionality - [x] added relevant user documentation
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,25 @@
+# Security Policy
+
+We take the security of UCX seriously and appreciate the efforts of security researchers and users to responsibly disclose any vulnerabilities.
+
+## Supported Versions
+
+Security update releases will only apply to the latest version of UCX and will not be backported. When a security update is released, it will be called out at the top of the version release notes.
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in UCX:
+
+- **DO NOT** open a public GitHub issue.
+- Please email us at [labs@databricks.com](mailto:labs@databricks.com) with:
+  - A description of the vulnerability
+  - Steps to reproduce it
+  - Potential impact or affected components
+- Alternatively, you can also share this information directly with your Databricks representative.
+
+We will review your report promptly and work with you to verify and resolve the issue. We aim to acknowledge receipt of your report within 48 hours.
+
+## Security Best Practices
+
+- Use the latest released version of UCX.
+- Review UCX [documentation](https://databrickslabs.github.io/ucx/) for recommended configurations and operational security considerations.
