From 255e69af50049254f86b19c5bfc36aaa926f0cdf Mon Sep 17 00:00:00 2001
From: Travis Sharp <2798069+tsharp@users.noreply.github.com>
Date: Fri, 15 May 2026 23:00:40 -0700
Subject: [PATCH] Revise security policy with version support and reporting

Updated the security policy to include new version support and reporting guidelines for vulnerabilities.
---
 SECURITY.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..f6dd192
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,26 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.4.x   | :white_check_mark: |
+| < 0.4.0 | :x:                |
+
+## Reporting a Vulnerability
+
+Please **do not** report security vulnerabilities through public GitHub issues.
+
+Instead, report them by opening a [GitHub Security Advisory](https://github.com/tsharp/agent-runtime/security/advisories/new) on this repository.
+
+Include as much of the following information as possible:
+
+- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit it
+
+This project is maintained by a single person on a best-effort basis. Response times are not guaranteed, but you can generally expect an acknowledgement within a few days. If a vulnerability is accepted, a fix will be prioritized based on severity - community contributions and pull requests addressing the issue are very welcome.