From 7d0325e80778d614dba20eab23d833f742b5f6c3 Mon Sep 17 00:00:00 2001
From: "Dustin J. Mitchell" <dustin@v.igoro.us>
Date: Sat, 16 Nov 2024 13:40:35 -0500
Subject: [PATCH] Use Signal instead of PGP to contact me securely (#52)

---
 SECURITY.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..64cd586
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,13 @@
+# Security
+
+To report a vulnerability, please contact Dustin via signal, [`djmitche.78`](https://signal.me/#eu/2T98jpkMAzvFL2wg3OkZnNrfhk1DFfu6eqkMEPqcAuCsLZPVk39A67rp4khmrMNF).
+Initial response is expected within ~48h.
+
+We kindly ask to follow the responsible disclosure model and refrain from sharing information until:
+
+1. Vulnerabilities are patched in `taskchampion-sync-server` + 60 days to coordinate with distributions.
+2. 90 days since the vulnerability is disclosed to us.
+
+We recognise the legitimacy of public interest and accept that security researchers can publish information after 90-days deadline unilaterally.
+
+We will assist with obtaining CVE and acknowledge the vulnerabilities reported.