docs: add comprehensive security policy (#1970)

* docs: add comprehensive security policy * Update SECURITY.md Co-authored-by: Ludovic Ortega <github@mail.adminafk.fr> * Update SECURITY.md Co-authored-by: Ludovic Ortega <github@mail.adminafk.fr> * Update SECURITY.md Co-authored-by: Ludovic Ortega <github@mail.adminafk.fr> --------- Co-authored-by: Ludovic Ortega <github@mail.adminafk.fr>
2025-12-24 02:39:18 -05:00 · 2025-10-06 19:03:22 +01:00
parent 42eec245b7
commit 0217096a1c
1 changed files with 51 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,51 @@
+# Security Policy
+
+## Reporting Security Issues
+
+Maintainers and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+
+To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](../../security/advisories/new) tab.
+
+**Please do not report security vulnerabilities through public GitHub issues, discussions, or Discord.**
+
+## What to Include in Your Report
+
+To help us better understand and resolve the issue, please include as much of the following information as possible:
+
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue
+
+## Response Timeline
+
+We will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+
+## Disclosure Policy
+
+- Security issues will be disclosed in a coordinated manner
+- We will credit reporters in the security advisory unless anonymity is requested
+- We request that you do not publicly disclose the issue until we have released a fix
+
+## Third-Party Dependencies
+
+If you discover a security vulnerability in a third-party dependency used by Jellyseerr, please report it directly to the maintainers of that module. You can also notify us through our security advisory process so we can:
+
+- Track the issue and monitor for updates
+- Apply patches or workarounds if available
+- Coordinate with upstream maintainers when necessary
+- Communicate the impact to our users
+
+We regularly monitor and update our dependencies to address known security vulnerabilities.
+
+## Security Updates
+
+Security updates and advisories will be published on our [GitHub Security Advisories page](../../security/advisories).
+
+## Community
+
+For general questions and support (non-security related):
+- [GitHub Discussions](../../discussions)
+- [Discord](https://discord.gg/ckbvBtDJgC)