Added security policy file.

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644 (file)
index 0000000..43168e9
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,25 @@
+# Security policy
+
+## Supported versions
+
+Only stable code line maintained in master repo branch is supported. Currently this is 2.4.* version. Any older FA versions should be upgraded to current version using upgrade scripts included.
+
+## Reporting vulnerabilities
+
+For medium or high severity security vulnerabilities, please report them by email to security@frontaccounting.com. We will review provided information and contact you to collaborate on resolving the issue.
+
+For low severity security vulnerabilities, you can either follow the above reporting pipeline or open an issue at our [Mantis bugtracker](https://mantis.frontaccounting.com).
+
+Please provide as much information as possible:
+
+- A detailed description of the vulnerability, preferably as step by step instruction we can use to reproduce your findings on standard FA setup.
+
+- Who can exploit this vulnerability and what would they gain. An attack scenario.
+
+- Information about known exploits if any.
+
+
+## Vulnerability disclosure policy
+
+Due to the nature of open source, security vulnerability fixes are public. Patches for minor issues are committed directly to stable repository branch, to be published with next planned minor release. Confirmed serious vulnerabilities are fixed and published as soon as possible, together with new emergency minor release.
+