chore: add SECURITY.md (#1061)

No change to code. This adds a security policy. Issue #1058
shelljs · Jan 7, 2022 · b4daff5 · b4daff5
1 parent 003a39d
commit b4daff5
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -0,0 +1,31 @@
+# ShellJS Security Policy
+
+Thank you for reaching out regarding the security of the ShellJS module! Please
+note that this project is maintained on a best-effort basis, however I still
+intend to prioritize reviewing and addressing security issues.
+
+## Supported Versions
+
+I generally only support the latest ShellJS release (see
+https://www.npmjs.com/package/shelljs). My goal is to release security fixes as
+patch releases on top of whatever was most recently shipped.
+
+If breaking changes have already landed on the main development branch, I may
+apply the patch on the relevant release branch (ex.
+[`0.8-release`](https://github.com/shelljs/shelljs/commits/0.8-release) and
+create a new release from there.
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities to ntfschr@gmail.com. I should respond
+within a few days. Although it's not strictly required, it helps me out if you
+can include any proof of concept exploit code, suggested fix, etc.
+
+**Please do not publicly disclose the suspected vulnerability** until I have a
+chance to review your report. I'd like a chance to patch the code before the
+issue is known to the public.
+
+Please **only** use this email for security issues. It's also OK to use the
+email if you're legitimately unsure if this is a security issue (better safe
+than sorry). But for all other non-security issues, please use the GitHub issue
+tracker.