From 7944c7eede1ec5df029aac3c26e5e37764534009 Mon Sep 17 00:00:00 2001
From: Josef Vacha <69599105+JosefVacha@users.noreply.github.com>
Date: Sun, 24 May 2026 12:56:22 +0000
Subject: [PATCH] docs: add SECURITY.md with coordinated-disclosure contact

---
 CONTRIBUTING.md |  2 ++
 README.md       |  4 +++-
 SECURITY.md     | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 SECURITY.md

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 0583787a..342a5a13 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,5 +1,7 @@
 # Contributing to HackAgent
 
+Please review our [Security Policy](SECURITY.md) before contributing.
+
 First off, thank you for considering contributing to HackAgent! It's people like you that make HackAgent such a great tool. We welcome contributions of all kinds, from bug reports and feature requests to documentation improvements and code contributions.
 
 Following these guidelines helps to communicate that you respect the time of the developers managing and developing this open-source project. In return, they should reciprocate that respect in addressing your issue, assessing changes, and helping you finalize your pull requests.
diff --git a/README.md b/README.md
index 9430f6e7..600d7f25 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,9 @@
 
 <br>
 
-[App](https://app.hackagent.dev/) -- [Docs](https://docs.hackagent.dev/) -- [API](https://api.hackagent.dev/schema/redoc)
+[![Security Policy](https://img.shields.io/badge/security-policy-blue?logo=github)](SECURITY.md)
+
+<br>
 
 <br>
 
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..e00a0c37
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,47 @@
+# Security Policy
+
+## Supported Versions
+
+We actively support the following versions of HackAgent with security updates:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| Latest  | :white_check_mark: |
+| < 2.0   | :x:                |
+
+## Reporting a Vulnerability
+
+We take the security of HackAgent seriously. If you discover a security vulnerability, please report it to us privately.
+
+**Contact:** ais@ai4i.it
+
+**Expected Response SLA:**
+- **Acknowledgement:** Within 48 hours of receiving your report.
+- **Initial Assessment:** Within 7 days with a detailed plan for addressing the issue.
+- **Status Updates:** Every 5 days until the vulnerability is resolved.
+
+## Disclosure Policy
+
+We follow a coordinated disclosure process:
+1. Security report received and acknowledged.
+2. Issue is verified and fixed in a private fork.
+3. Security advisory is published on GitHub.
+4. Patch is released to the main branch.
+5. Public disclosure after fix is available (typically 24-48 hours after patch).
+
+## PGP Key
+
+Currently, we do not provide a PGP key for encrypted communication. Please use the secure contact email above.
+
+## Scope
+
+Vulnerabilities in the following areas are within scope:
+- Authentication and authorization mechanisms
+- Data handling and privacy protections
+- Code injection vulnerabilities
+- Dependency vulnerabilities in `requirements.txt` / `pyproject.toml`
+
+Out of scope:
+- Social engineering attacks
+- Physical security issues
+- DoS attacks against public infrastructure