Add SECURITY.md security policy (#2660)

* Initial plan * Add SECURITY.md with security policy Agent-Logs-Url: https://github.com/mikefarah/yq/sessions/f9ff8a4c-addc-485b-abb8-4103394851a4 Co-authored-by: mikefarah <1151925+mikefarah@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: mikefarah <1151925+mikefarah@users.noreply.github.com>
2026-06-29 08:38:48 +00:00 · 2026-04-12 18:57:11 +10:00 · 2026-04-12 18:57:11 +10:00 · 30ca9ffde7
commit 30ca9ffde7
parent 2927a28283
1 changed files with 26 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,26 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please **do not** report security vulnerabilities through public GitHub issues.
+
+Instead, use GitHub's private vulnerability reporting feature:
+👉 https://github.com/mikefarah/yq/security
+
+This allows vulnerabilities to be triaged and addressed confidentially before any public disclosure.
+
+## Scope
+
+### HTTP / TLS / Network vulnerabilities
+
+yq is a command-line YAML/JSON/TOML processor that reads from files or standard input and writes to standard output. **yq does not include any HTTP or network libraries** and makes no network connections at runtime. CVEs related to HTTP, TLS, or networking are therefore **not applicable** to yq.
+
+### Dependency version bumps
+
+yq uses [Dependabot](https://docs.github.com/en/code-security/dependabot) to automatically raise pull requests for:
+
+- Go module dependencies
+- Go toolchain version
+- Docker base images
+
+Please **do not** raise pull requests or issues solely to bump dependency or Go versions — Dependabot handles this automatically and the maintainers merge those PRs regularly.