From 30ca9ffde75fae0ef83ceb721730565871f61ccd Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Sun, 12 Apr 2026 18:57:11 +1000
Subject: [PATCH] Add SECURITY.md security policy (#2660)

* Initial plan

* Add SECURITY.md with security policy

Agent-Logs-Url: https://github.com/mikefarah/yq/sessions/f9ff8a4c-addc-485b-abb8-4103394851a4

Co-authored-by: mikefarah <1151925+mikefarah@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: mikefarah <1151925+mikefarah@users.noreply.github.com>
---
 SECURITY.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..57f1de82
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,26 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please **do not** report security vulnerabilities through public GitHub issues.
+
+Instead, use GitHub's private vulnerability reporting feature:
+👉 https://github.com/mikefarah/yq/security
+
+This allows vulnerabilities to be triaged and addressed confidentially before any public disclosure.
+
+## Scope
+
+### HTTP / TLS / Network vulnerabilities
+
+yq is a command-line YAML/JSON/TOML processor that reads from files or standard input and writes to standard output. **yq does not include any HTTP or network libraries** and makes no network connections at runtime. CVEs related to HTTP, TLS, or networking are therefore **not applicable** to yq.
+
+### Dependency version bumps
+
+yq uses [Dependabot](https://docs.github.com/en/code-security/dependabot) to automatically raise pull requests for:
+
+- Go module dependencies
+- Go toolchain version
+- Docker base images
+
+Please **do not** raise pull requests or issues solely to bump dependency or Go versions — Dependabot handles this automatically and the maintainers merge those PRs regularly.