docs: add SECURITY.md policy (#410)

Adds SECURITY.md with responsible disclosure process, scope clarification, and response SLAs.
2026-04-25 03:08:24 +00:00 · 2026-04-10 19:55:01 -04:00 · 2026-04-10 19:55:01 -04:00 · 6b294e34f5
commit 6b294e34f5
parent 30f6f18d41
1 changed files with 31 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,31 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly. Do NOT open a public GitHub issue for security vulnerabilities. Open a private security advisory via GitHub Security tab.
+
+## Response Timeline
+
+- Acknowledgment: within 48 hours
+- Initial assessment: within 7 days
+- Fix or mitigation: depends on severity
+
+## Scope
+
+This repository contains Markdown-based agent definitions and shell scripts for installation and conversion.
+
+### Agent files (.md)
+- Non-executable prompt definitions
+- No API keys, secrets, or credentials should be stored in agent files
+
+### Shell scripts (scripts/)
+- install.sh, convert.sh, and lint-agents.sh are executable
+- Contributors should review scripts for unintended behavior before running
+
+## Best Practices for Contributors
+
+- Never commit API keys, tokens, or credentials
+- Never add executable code inside agent Markdown files
+- Shell scripts must be reviewed before merging
+- Report suspicious agent definitions that attempt prompt injection
+EOFcat SECURITY.md