From 22bc904591fec815c2ccc6d3505b45c4088c6f69 Mon Sep 17 00:00:00 2001
From: Finn Westendorf <fw@sernet.de>
Date: Fri, 20 Aug 2021 13:47:25 +0200
Subject: [PATCH] Add SECURITY.md

VN-2745
---
 SECURITY.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..b39d216a4
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest version of verinice has all security updates.
+
+## Reporting a Vulnerability
+
+Please e-mail [verinice@sernet.de](mailto:verinice@sernet.de) if you believe you have found a vulnerability in verinice.
+Minor security issues can be publicly reported on GitHub.
+
+In your bug report, please try to cover the following info:
+- Proof of Concept: exact steps to reproduce the bug
+- How did you discover the vulnerability?
+- Your estimation of impact
+- Suggestions for a fix
+
+When receiving a bug report, we will look at it internally before answering, so expect some delay until you get an answer.
+Once we confirmed and talked about the vulnerability, we will contact you.
+
+### Public Disclosure
+
+Please give us up to 120 days to fix the vulnerability you reported, once the patch is public you can disclose it.
+
+## Hall of Fame
+
+In this section we thank researchers who submitted critical vulnerabilities to us.
+
+- Frank Nusko (SECIANUS GmbH & Co. KG) RCE via insecure deserialization CVE-2021-36981