From 344c1b64d301a0b5ea511fcbc3b6800664904f74 Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri, 2 Jul 2021 16:55:43 +0200
Subject: [PATCH] Add a SECURITY.md file describing our security policy.

---
 Makefile.am |  2 +-
 SECURITY.md | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 SECURITY.md

diff --git a/Makefile.am b/Makefile.am
index b3b5a037..568d5483 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -6,7 +6,7 @@ SUBDIRS =  src doc test systemd bash_completion.d
 
 ACLOCAL_AMFLAGS = -I m4
 
-EXTRA_DIST = COPYING.README README.android
+EXTRA_DIST = COPYING.README README.android SECURITY.md
 
 @CODE_COVERAGE_RULES@
 
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..f3a2dea3
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you have found a security vulnerability in tinc, please email
+guus@tinc-vpn.org directly. You can encrypt the email using PGP if desired. We
+will try to respond within 48 hours. If there is no response, try to contact us
+via alternate means listed at https://www.tinc-vpn.org/contact/.
+
+## Disclosure Policy
+
+We greatly prefer to use the responsible disclosure model. After we have been
+contacted about a potential vulnerability, we will do the following:
+
+- Confirm the problem and determine the affected versions.
+- Register a CVE number.
+- Prepare a fix for all affected versions of tinc.
+- Coordinate a release of the fix with Linux and BSD distributions.
+- Disclose the vulneratbility after the fix has been released and any agreed
+  upon embargo period has expired.
+
+## Supported Versions
+
+Currently we support the 1.0.x and 1.1.x branches of tinc.
+
+| Version | Supported  |
+| ------- | ---------- |
+| 1.1.x   | yes        |
+| 1.0.x   | yes        |
-- 
2.20.1