From 0ba77674c72324b6f533acfc8d2cbf328b9448a0 Mon Sep 17 00:00:00 2001
From: Jade Ellis <jade@ellis.link>
Date: Sun, 25 May 2025 00:36:28 +0100
Subject: [PATCH] docs: Security policy

---
 SECURITY.md      | 59 ++++++++++++++++++++++++++++++++++++++++++++++++
 docs/SUMMARY.md  |  1 +
 docs/security.md |  1 +
 3 files changed, 61 insertions(+)
 create mode 100644 SECURITY.md
 create mode 100644 docs/security.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..c5355491
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,59 @@
+# Security Policy for Continuwuity
+
+This document outlines the security policy for Continuwuity. Our goal is to maintain a secure platform for all users, and we take security matters seriously.
+
+## Supported Versions
+
+We provide security updates for the following versions of Continuwuity:
+
+| Version        | Supported        |
+| -------------- |:----------------:|
+| Latest release |        ✅        |
+| Main branch    |        ✅        |
+| Older releases |        ❌        |
+
+## Reporting a Vulnerability
+
+### Responsible Disclosure
+
+We appreciate the efforts of security researchers and the community in identifying and reporting vulnerabilities. To ensure that potential vulnerabilities are addressed properly, please follow these guidelines:
+
+1. **Email the security team** directly at [security@continuwuity.org](mailto:security@continuwuity.org)
+2. Contact members of the team over E2EE private message.
+   - [@jade:ellis.link](https://matrix.to/#/@jade:ellis.link)
+   - [@nex:nexy7574.co.uk](https://matrix.to/#/@nex:nexy7574.co.uk) <!-- ? -->
+3. **Do not disclose the vulnerability publicly** until it has been addressed
+4. **Provide detailed information** about the vulnerability, including:
+   - A clear description of the issue
+   - Steps to reproduce
+   - Potential impact
+   - Any possible mitigations
+   - Version(s) affected, including specific commits if possible
+
+### What to Expect
+
+When you report a security vulnerability:
+
+1. **Acknowledgment**: We will acknowledge receipt of your report.
+2. **Assessment**: We will assess the vulnerability and determine its impact on our users
+3. **Updates**: We will provide updates on our progress in addressing the vulnerability, and may request you help test mitigations
+4. **Resolution**: Once resolved, we will notify you and discuss coordinated disclosure
+5. **Credit**: We will recognize your contribution (unless you prefer to remain anonymous)
+
+## Security Update Process
+
+When security vulnerabilities are identified:
+
+1. We will develop and test fixes in a private branch
+2. Security updates will be released as soon as possible
+3. Release notes will include information about the vulnerabilities, avoiding details that could facilitate exploitation where possible
+4. Critical security updates may be backported to the previous stable release
+
+## Additional Resources
+
+- [Matrix Security Disclosure Policy](https://matrix.org/security-disclosure-policy/)
+- [Continuwuity Documentation](https://continuwuity.org/introduction)
+
+---
+
+This security policy was last updated on May 25, 2025.
diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md
index 473c9e74..af729003 100644
--- a/docs/SUMMARY.md
+++ b/docs/SUMMARY.md
@@ -20,3 +20,4 @@
   - [Testing](development/testing.md)
   - [Hot Reloading ("Live" Development)](development/hot_reload.md)
 - [Community (and Guidelines)](community.md)
+- [Security](security.md)
diff --git a/docs/security.md b/docs/security.md
new file mode 100644
index 00000000..b4474cf5
--- /dev/null
+++ b/docs/security.md
@@ -0,0 +1 @@
+{{#include ../SECURITY.md}}