From 8ca00161fae34ee5fb5bdb456d990c4dc1bc33f9 Mon Sep 17 00:00:00 2001
From: Manuel <30572287+manuel-rw@users.noreply.github.com>
Date: Sun, 15 Dec 2024 15:16:31 +0100
Subject: [PATCH] docs: create SECURITY.md (#1662)

---
 SECURITY.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..493565dc0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+This policy is relevant if you found potential vulnerabilities in an audit.
+We consider something as a vulnerability if it...
+1. puts users or user data at risk
+2. enables third parties to gain control or access (e.g. [RATs](https://en.wikipedia.org/wiki/Remote_desktop_software#RAT), [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation), ...)
+3. abuses the system in an unintended way (e.g. crypto mining, proxy, ...)
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| >1.0.0  | :white_check_mark: |
+| <1.0.0  | :x:                |
+
+## Reporting a Vulnerability
+We use [GitHub's system for reporting vulnerabilities](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory).
+Click [**here to report an advisory**](https://github.com/homarr-labs/homarr/security/advisories/new). Our team will get notified and will get back to you within 1-6 business days.
+
+As a general guideline; please provide as much detail as possible and provide reproduction steps / documentation regarding the re-creation.
+You may also provide a fork with a fix for the vulnerability.
+See https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html for guidelines regarding disclosure.
+
+If you're unable / unwilling (or it's not safe) to disclose vulnerabilites via GitHub, please report them with the subject "Security advisory - CVEXXX" to our email homarr-labs@proton.me.
+Please never disclose security vulnerabilits on your own publicly - we'd like to search for a dimplomatic solution that is also safe for our users.
+
+In your initial contact with us, please provide details according to the [OWASP guidelines for initial reports](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html#initial-report).
+
+Thank you!
+We're looking forward to your report