From 45a384bdc98d009a907f955abc3a46599c05a14e Mon Sep 17 00:00:00 2001
From: vmfunc <celeste@linux.com>
Date: Fri, 13 Feb 2026 01:57:31 +0100
Subject: [PATCH] add SECURITY.md - fixes scorecard security-policy check

Signed-off-by: vmfunc <celeste@linux.com>
---
 SECURITY.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..ed21381
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,15 @@
+# security policy
+
+## reporting a vulnerability
+
+if you find a security issue in sif, email celeste@linux.com directly.
+don't open a public issue.
+
+expect a response within 48 hours. if it's confirmed, i'll push a fix
+and credit you in the release notes (unless you'd rather stay anonymous).
+
+## scope
+
+sif is a pentesting tool — "it can scan things" is not a vulnerability.
+actual bugs: command injection in user input handling, path traversal in
+template extraction, credential leaks, that kind of thing.