From 4bf6144dafb16f78a2dcb3ae8f5c671e84cd4140 Mon Sep 17 00:00:00 2001
From: Thomas Lauf <lauft@users.noreply.github.com>
Date: Mon, 21 Oct 2024 21:16:25 +0200
Subject: [PATCH] Add SECURITY.md (#3655)

---
 SECURITY.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..1fb4ee7bc
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,13 @@
+# Security
+
+To report a vulnerability, please contact [dustin@cs.uchicago.edu](mailto:dustin@cs.uchicago.edu), you may use GPG public-key D8097934A92E4B4210368102FF8B7AC6154E3226 which is available [here](https://keybase.io/djmitche/pgp_keys.asc?fingerprint=d8097934a92e4b4210368102ff8b7ac6154e3226).
+Initial response is expected within ~48h.
+
+We kindly ask to follow the responsible disclosure model and refrain from sharing information until:
+
+1. Vulnerabilities are patched in Taskwarrior + 60 days to coordinate with distributions.
+2. 90 days since the vulnerability is disclosed to us.
+
+We recognise the legitimacy of public interest and accept that security researchers can publish information after 90-days deadline unilaterally.
+
+We will assist with obtaining CVE and acknowledge the vulnerabilities reported.