From 9958608ac397fb626295849f124c27bf4a2e9634 Mon Sep 17 00:00:00 2001
From: Justin Beckwith <justin.beckwith@gmail.com>
Date: Sat, 11 Apr 2026 21:48:23 -0700
Subject: [PATCH] docs: add security policy

---
 SECURITY.md | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..04362db
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,39 @@
+# Security Policy
+
+## Supported Versions
+
+Security fixes are generally limited to the latest published release in the
+current major version line.
+
+| Version | Supported |
+| ------- | --------- |
+| 4.x     | Yes       |
+| < 4.0   | No        |
+
+This package supports Node.js 18 and later.
+
+## Reporting a Vulnerability
+
+Please do not report security vulnerabilities through public GitHub issues,
+pull requests, or discussions.
+
+Instead, report them privately by email to
+`justin.beckwith@gmail.com` with:
+
+- A clear description of the issue and its security impact
+- Steps to reproduce, proof of concept, or example requests
+- Affected package version, Node.js version, and deployment details
+- Any suggested mitigations or fixes, if you have them
+
+You can expect an initial response within 5 business days. After the report is
+reviewed, the maintainer will work with you on validation, remediation, and a
+coordinated disclosure timeline.
+
+Please keep vulnerability details private until a fix is available and users
+have had a reasonable opportunity to update.
+
+## Scope
+
+This policy applies to the `yes-https` package in this repository, including
+the published npm package and the source under active maintenance on the default
+branch.