From 513467194c5e686a477b675fb09627b3150b3646 Mon Sep 17 00:00:00 2001
From: Alex Zamponi <562324+alexz707@users.noreply.github.com>
Date: Fri, 26 Apr 2024 15:56:42 +0200
Subject: [PATCH] Update SECURITY.md

Part of pimcore/planning#365
---
 SECURITY.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..cd3189e
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,22 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you think that you have found a security issue,
+don’t use the bug tracker and don’t publish it publicly.
+Instead, all security issues must be reported via a private vulnerability report.
+
+Please follow the [instructions](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability) to submit a private report.
+
+
+## Resolving Process
+Every submitted security issue is handled with top priority by following these steps:
+
+1. Confirm the vulnerability
+2. Determine the severity
+3. Contact reporter
+4. Work on a patch
+5. Get a CVE identification number (may be done by the reporter or a security service provider)
+6. Patch reviewing
+7. Tagging a new release for supported versions
+8. Publish security announcement