[PATCH v1] Add security policy

[Zhihang Wei]

Signed-off-by: Zhihang Wei <w...@ilbers.de>
Signed-off-by: Baurzhan Ismagulov <i...@ilbers.de>
---
SECURITY.md | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..276db42c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+Only `master` is supported with security updates.
+
+## Reporting a Vulnerability
+
+Please DO NOT report any potential security vulnerability via a public channel
+(mailing list, github issue, etc.). Instead, create a report via
+https://github.com/ilbers/isar/security/advisories/new or contact the
+maintainers by email at secu...@isar-build.org. Please provide a detailed
+description of the issue, the steps to reproduce it, the affected versions and,
+if already available, a proposal for a fix. You should receive a response
+within 15 business days. If for some reason you do not, please follow up by
+email to ensure we received your original message.
+
+If we confirm the issue as a vulnerability, we will open a Security Advisory on
+github and give credits for your report if desired. We follow the coordinated
+vulnerability disclosure model and will define an appropriate disclosure
+timeline together with you.
--
2.39.5

[Jan Kiszka]

On 14.11.25 17:00, Zhihang Wei wrote:
> Signed-off-by: Zhihang Wei <w...@ilbers.de>
> Signed-off-by: Baurzhan Ismagulov <i...@ilbers.de>
> ---
> SECURITY.md | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)
> create mode 100644 SECURITY.md
>
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 00000000..276db42c
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,21 @@
> +# Security Policy
> +
> +## Supported Versions
> +
> +Only `master` is supported with security updates.

Shall means that there is no back-porting to previous releases, right?

"Security updates will only be provided on top the `master` branch."

> +
> +## Reporting a Vulnerability
> +
> +Please DO NOT report any potential security vulnerability via a public channel
> +(mailing list, github issue, etc.). Instead, create a report via
> +https://github.com/ilbers/isar/security/advisories/new or contact the
> +maintainers by email at secu...@isar-build.org. Please provide a detailed
> +description of the issue, the steps to reproduce it, the affected versions and,
> +if already available, a proposal for a fix. You should receive a response
> +within 15 business days. If for some reason you do not, please follow up by
> +email to ensure we received your original message.
> +
> +If we confirm the issue as a vulnerability, we will open a Security Advisory on
> +github and give credits for your report if desired. We follow the coordinated
> +vulnerability disclosure model and will define an appropriate disclosure
> +timeline together with you.

Jan

--
Siemens AG, Foundational Technologies
Linux Expert Center

[Baurzhan Ismagulov]

From: Zhihang Wei <w...@ilbers.de>

Signed-off-by: Zhihang Wei <w...@ilbers.de>
Signed-off-by: Baurzhan Ismagulov <i...@ilbers.de>
---
SECURITY.md | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644

index 00000000..2ba12ff8

--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+

+Security updates will only be provided on top of the `master` branch.

+
+## Reporting a Vulnerability
+
+Please DO NOT report any potential security vulnerability via a public channel
+(mailing list, github issue, etc.). Instead, create a report via
+https://github.com/ilbers/isar/security/advisories/new or contact the
+maintainers by email at secu...@isar-build.org. Please provide a detailed
+description of the issue, the steps to reproduce it, the affected versions and,
+if already available, a proposal for a fix. You should receive a response
+within 15 business days. If for some reason you do not, please follow up by
+email to ensure we received your original message.
+
+If we confirm the issue as a vulnerability, we will open a Security Advisory on
+github and give credits for your report if desired. We follow the coordinated
+vulnerability disclosure model and will define an appropriate disclosure
+timeline together with you.

--
2.39.5

[Baurzhan Ismagulov]

On 2025-11-14 17:35, 'Jan Kiszka' via isar-users wrote:
> > +Only `master` is supported with security updates.
>
> Shall means that there is no back-porting to previous releases, right?
>
> "Security updates will only be provided on top the `master` branch."

Thanks, sent v2.

With kind regards,
Baurzhan

[Zhihang Wei]

Applied to next, thanks.