Create SECURITY.md (#135)

Probably this is the best we can currently offer. Any suggestions are welcomed though. Ref https://github.com/roboll/helmfile/issues/2147 Signed-off-by: Yusuke Kuoka <ykuoka@gmail.com>
2022-06-05 17:11:54 +09:00 · 2022-06-05 17:11:54 +09:00 · 173767d2c5
parent 83a7245d0f
commit 173767d2c5
1 changed files with 25 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,25 @@
+# Security Policy
+
+##  Sponsoring the project
+
+This project is maintained by a small team of four and therefore lacks the resource to provide security fixes in a very timely manner.
+
+That said, even though we are very passionate about making Helmfile rock solid security wise, all issues are handled on the best effort basis.
+
+If you have important business(es) that relies on this project, please consider sponsoring the maintainers, so that they can commit more on providing such service.
+
+> *Note* that we don't currently have project-wide sponsorship enabled as we don't know how to share the amount of sponsorships with fairness.
+> Please sponsor individuals instead! Thanks for your understanding.
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.144.0  | :white_check_mark: |
+| < 0.144.0| :x:                |
+
+## Reporting a Vulnerability
+
+To report a security issue, please email helmfile-security@googlegroups.com with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
+
+A maintainer will try to respond within 5 working days. If the issue is confirmed as a vulnerability, a Security Advisory will be opened. This project currently tries to follow a 90 day disclosure timeline.