add SECURITY.md - fixes scorecard security-policy check

Signed-off-by: vmfunc <celeste@linux.com>
2026-03-12 13:13:05 -07:00 · 2026-02-13 01:57:31 +01:00
parent fcf9291653
commit 45a384bdc9
1 changed files with 15 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,15 @@
+# security policy
+
+## reporting a vulnerability
+
+if you find a security issue in sif, email celeste@linux.com directly.
+don't open a public issue.
+
+expect a response within 48 hours. if it's confirmed, i'll push a fix
+and credit you in the release notes (unless you'd rather stay anonymous).
+
+## scope
+
+sif is a pentesting tool — "it can scan things" is not a vulnerability.
+actual bugs: command injection in user input handling, path traversal in
+template extraction, credential leaks, that kind of thing.