Here’s a strong, clear, and actionable security policy template for your repository, tailored to open-source projects and best practices:
We actively provide security updates for the following versions of this project:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Note: Only the latest major version and the previous major version receive security updates. Older versions are unsupported and may contain unpatched vulnerabilities.
We take security seriously. If you discover a vulnerability, do not open a public issue. Instead, follow these steps:
- GitHub Security Advisory: If you have a GitHub account, you can submit a vulnerability via GitHub’s Security Advisory feature.
- A clear description of the vulnerability.
- Steps to reproduce the issue.
- Potential impact (e.g., data exposure, remote code execution).
- Any suggested fixes or mitigations.
- Acknowledgment: You’ll receive a response within 48 hours confirming receipt of your report.
- Triage: We’ll assess the vulnerability and determine its severity.
- Updates: You’ll receive regular updates on the progress of the fix.
- Resolution: If the vulnerability is accepted, we’ll work on a patch and release it as soon as possible.
- Disclosure: We’ll publicly disclose the vulnerability (with credit to you, if desired) after a fix is released.
- Issues related to unsupported versions.
- Reports of non-exploitable weaknesses or theoretical risks without proof of concept.
- Responsible Disclosure: We ask that you keep the vulnerability confidential until we release a fix.
- Bug Bounty: If applicable, mention whether you offer rewards for valid reports.
Would you like me to adapt this further for your specific project (e.g., adding a bug bounty program, customizing the contact method, or including a PGP key for encrypted reports)?