From fc662926a362e35fcd3c252aad0eea8eae368b90 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Tue, 5 Jan 2021 23:39:57 +0900
Subject: [PATCH] Add GitHub security policy

---
 SECURITY.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..065605150
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,17 @@
+Security Policy
+---------------
+
+### Supported Versions
+
+Only the latest version is actively supported.
+
+## Reporting a Vulnerability
+
+Please report possible vulnerabilities by email to devops@rhymix.org.
+Please DO NOT use GitHub issues or pull requests for this purpose.
+
+We do not consider it a vulnerability if the superuser (is_admin=Y) account
+can insert scripts or delete information. That's what the superuser account is for!
+It will, however, be considered a serious vulnerability if someone else can
+trick a superuser to perform such actions inadvertently,
+for example through a CSRF attack.