Added security policy #258

SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policy
+
+## Supported Versions
+
+We currently support the latest stable version of Gokapi. Security updates are provided on a best-effort basis for the most recent release.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| Latest  | ✅                 |
+| Older   | ❌                 |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Gokapi, please **do not open a public issue**.
+
+Instead, use GitHub’s [**"Report a vulnerability"**](https://github.com/Forceu/Gokapi/security/advisories/new) feature on this repository. This ensures your report stays private and will be reviewed promptly by the maintainers.
+
+To report a vulnerability:
+
+1. Go to the **Security** tab of the Gokapi repository.
+2. Click on **"Report a vulnerability"**.
+3. Fill out the form with as much detail as possible.
+
+We aim to acknowledge valid reports within **3 business days** and address them as quickly as possible.
+
+## Disclosure Policy
+
+Once a vulnerability is reported, we will:
+
+1. Acknowledge receipt within 72 hours.
+2. Investigate and validate the issue.
+3. Develop a fix or mitigation strategy.
+4. Coordinate a release with credit to the reporter (unless anonymity is requested).
+5. Publish a security advisory via GitHub once the fix is released.
+
+## Scope
+
+This policy applies to the Gokapi codebase and documentation in this repository. Vulnerabilities in third-party dependencies should be reported to the appropriate maintainers.
+
+---
+
+Thank you for helping keep Gokapi secure!