A security.md file is needed to track security changes. Addressing vulnerabilites or issues inthis way contributes to transparency. Example given below:

Security Policy

Supported Versions

The following versions of our project are currently supported with security updates. If you are using an unsupported version, please consider upgrading to a supported version to ensure that you receive the latest security fixes.

Version	Supported
5.1.x	:white_check_mark:
5.0.x	:x:
4.0.x	:white_check_mark:
< 4.0	:x:

Reporting a Vulnerability

If you discover a security vulnerability in our project, we encourage you to report it as soon as possible. We appreciate your help in keeping our project secure for everyone.

How to Report

Email: Please send an email to security@yourproject.org with the details of the vulnerability.
Encryption: If you need to send sensitive information, please use our PGP key, which you can find here.

What to Include

When reporting a vulnerability, please include the following information:

A description of the vulnerability.
Steps to reproduce the vulnerability.
The version of the software where the vulnerability was found.
Any potential impacts of the vulnerability.

What to Expect

Acknowledgment: We will acknowledge your report within 48 hours.
Updates: We will provide updates on the status of your report within 7 days.
Resolution: Once the vulnerability is confirmed, we aim to release a security fix within 30 days. You will be notified when the fix is available.

Public Disclosure

We will coordinate with you to disclose the vulnerability responsibly. We request that you do not publicly disclose the vulnerability until we have had a chance to address it.

Thank you for helping us keep our project secure!

siv-org / siv

No Security.md file for tracking versions within the repo #198