From 9da20cfe25f9016c7d160ca0fc82eeee8d88e741 Mon Sep 17 00:00:00 2001
From: Florian Forster <florian@caos.ch>
Date: Fri, 20 Mar 2020 06:30:10 +0100
Subject: [PATCH] docs(readme): security policy (#19)

* Create SECURITY.md

* Update README.md
---
 README.md   |  4 ++++
 SECURITY.md | 43 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index 3ee954f4ab..eb9c8971e9 100644
--- a/README.md
+++ b/README.md
@@ -21,6 +21,10 @@ It will be an IAM ;-)
 
 TBD
 
+## Security
+
+See the policy [here](./SECURITY.md)
+
 ## License
 
 See the exact licensing terms [here](./LICENSE)
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..3c2d48d751
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,43 @@
+# Security Policy
+
+At CAOS we are extremely grateful for security aware people that disclose vulnerabilities to us and the open source community. All reports will be investigated by our team.
+
+## Supported Versions
+
+After the initial Release the following version support will apply
+
+| Version | Supported                               |
+| ------- | ------------------                      |
+| 1.x.x   | :white_check_mark: (not yet available)  |
+| 0.x.x   | :x:                                     |
+
+## Reporting a vulnerability
+
+To file a incident, please disclose by email to security@caos.ch with the security details.
+
+At the moment GPG encryption is no yet supported, however you may sign your message at will.
+
+### When should I report a vulnerability
+
+* You think you discovered a ...
+  * ... potential security vulnerability in zitadel
+  * ... vulnerability in another project that zitadel bases on
+* For projects with their own vulnerability reporting and disclosure process, please report it directly there
+
+### When should I NOT report a vulnerability
+
+* You need help applying security related updates
+* Your issue is not security related
+
+## Security Vulnerability Response
+
+TBD
+
+## Public Disclosure
+
+All accepted and mitigated vulnerabilitys will be published on the [Github Security Page](https://github.com/caos/zitadel/security/advisories)
+
+### Timing
+
+We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the discloures the time frame can range from 7 to 90 days.
+