Add a SECURITY.md file describing our security policy.

diff --git a/Makefile.am b/Makefile.am
index b3b5a03..568d548 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -6,7 +6,7 @@ SUBDIRS =  src doc test systemd bash_completion.d
 
 ACLOCAL_AMFLAGS = -I m4
 
-EXTRA_DIST = COPYING.README README.android
+EXTRA_DIST = COPYING.README README.android SECURITY.md
 
 @CODE_COVERAGE_RULES@
 

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644 (file)
index 0000000..f3a2dea
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you have found a security vulnerability in tinc, please email
+guus@tinc-vpn.org directly. You can encrypt the email using PGP if desired. We
+will try to respond within 48 hours. If there is no response, try to contact us
+via alternate means listed at https://www.tinc-vpn.org/contact/.
+
+## Disclosure Policy
+
+We greatly prefer to use the responsible disclosure model. After we have been
+contacted about a potential vulnerability, we will do the following:
+
+- Confirm the problem and determine the affected versions.
+- Register a CVE number.
+- Prepare a fix for all affected versions of tinc.
+- Coordinate a release of the fix with Linux and BSD distributions.
+- Disclose the vulneratbility after the fix has been released and any agreed
+  upon embargo period has expired.
+
+## Supported Versions
+
+Currently we support the 1.0.x and 1.1.x branches of tinc.
+
+| Version | Supported  |
+| ------- | ---------- |
+| 1.1.x   | yes        |
+| 1.0.x   | yes        |