From b07a3903906e03b9eb520fc4da3c5ab221b72237 Mon Sep 17 00:00:00 2001 From: Nguyen Hong Gia Bao Date: Fri, 3 Jul 2026 01:14:38 +0300 Subject: [PATCH] Add SECURITY.md file following GitHub's template Adds a security policy to the repository to provide a clear path for reporting security vulnerabilities, including: - Supported versions information - Reporting instructions - Expected response times - Preferred communication channels This addresses the lack of a documented security process noted in GHSA-85mx-2hxh-5r8p and provides maintainers with a clear framework for handling security reports. --- SECURITY.md | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000000..0642491bbbb0 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,49 @@ +# Security Policy + +## Supported Versions + +We provide security updates for the following versions of the Java Design Patterns project: + +| Version | Supported | +| ------- | ------------------ | +| Main branch (latest) | :white_check_mark: | +| Older versions | :x: | + +We recommend using the latest version from the main branch to ensure you have the latest security fixes. + +## Reporting a Vulnerability + +We take the security of our project seriously. If you discover a security vulnerability within this project, please send an email to the maintainers at [iluwatar.java.design.patterns@gmail.com](mailto:iluwatar.java.design.patterns@gmail.com). Please do not open a public issue for security vulnerabilities. + +Please include the following information in your report: +- A clear description of the vulnerability +- Steps to reproduce the issue +- Any proof-of-concept code or screenshots +- The version(s) of the project affected +- Potential impact and severity assessment + +We will acknowledge receipt of your report within 48 hours and will keep you informed of our progress toward a fix. We aim to resolve security issues within 30 days of disclosure, depending on the complexity and impact. + +## Preferred Languages + +We prefer to receive security reports in English. + +## Policy + +We follow responsible disclosure practices. Once a vulnerability is confirmed: +1. We will acknowledge your report within 48 hours +2. We will investigate and confirm the vulnerability +3. We will work on a fix and test it thoroughly +4. We will coordinate a public disclosure timeline with you +5. We will credit you in our security advisory (unless you wish to remain anonymous) + +We do not offer bounties for security reports, but we greatly appreciate your help in keeping this project secure for everyone. + +## Scope + +This security policy applies to the Java Design Patterns project repository and all pattern implementations within it. It does not cover: +- Individual pattern implementations in forks or derivatives +- Educational examples that intentionally demonstrate vulnerabilities for learning purposes +- Third-party libraries or dependencies used in the project + +For general questions or non-security-related issues, please use the standard issue tracker. \ No newline at end of file