diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000000..0642491bbbb0 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,49 @@ +# Security Policy + +## Supported Versions + +We provide security updates for the following versions of the Java Design Patterns project: + +| Version | Supported | +| ------- | ------------------ | +| Main branch (latest) | :white_check_mark: | +| Older versions | :x: | + +We recommend using the latest version from the main branch to ensure you have the latest security fixes. + +## Reporting a Vulnerability + +We take the security of our project seriously. If you discover a security vulnerability within this project, please send an email to the maintainers at [iluwatar.java.design.patterns@gmail.com](mailto:iluwatar.java.design.patterns@gmail.com). Please do not open a public issue for security vulnerabilities. + +Please include the following information in your report: +- A clear description of the vulnerability +- Steps to reproduce the issue +- Any proof-of-concept code or screenshots +- The version(s) of the project affected +- Potential impact and severity assessment + +We will acknowledge receipt of your report within 48 hours and will keep you informed of our progress toward a fix. We aim to resolve security issues within 30 days of disclosure, depending on the complexity and impact. + +## Preferred Languages + +We prefer to receive security reports in English. + +## Policy + +We follow responsible disclosure practices. Once a vulnerability is confirmed: +1. We will acknowledge your report within 48 hours +2. We will investigate and confirm the vulnerability +3. We will work on a fix and test it thoroughly +4. We will coordinate a public disclosure timeline with you +5. We will credit you in our security advisory (unless you wish to remain anonymous) + +We do not offer bounties for security reports, but we greatly appreciate your help in keeping this project secure for everyone. + +## Scope + +This security policy applies to the Java Design Patterns project repository and all pattern implementations within it. It does not cover: +- Individual pattern implementations in forks or derivatives +- Educational examples that intentionally demonstrate vulnerabilities for learning purposes +- Third-party libraries or dependencies used in the project + +For general questions or non-security-related issues, please use the standard issue tracker. \ No newline at end of file