From 6b294e34f58b273bc14bac33768478e6716b60ea Mon Sep 17 00:00:00 2001
From: CharlyP <cparra071155@gmail.com>
Date: Fri, 10 Apr 2026 19:55:01 -0400
Subject: [PATCH] docs: add SECURITY.md policy (#410)

Adds SECURITY.md with responsible disclosure process, scope clarification, and response SLAs.
---
 SECURITY.md | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..571247c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly. Do NOT open a public GitHub issue for security vulnerabilities. Open a private security advisory via GitHub Security tab.
+
+## Response Timeline
+
+- Acknowledgment: within 48 hours
+- Initial assessment: within 7 days
+- Fix or mitigation: depends on severity
+
+## Scope
+
+This repository contains Markdown-based agent definitions and shell scripts for installation and conversion.
+
+### Agent files (.md)
+- Non-executable prompt definitions
+- No API keys, secrets, or credentials should be stored in agent files
+
+### Shell scripts (scripts/)
+- install.sh, convert.sh, and lint-agents.sh are executable
+- Contributors should review scripts for unintended behavior before running
+
+## Best Practices for Contributors
+
+- Never commit API keys, tokens, or credentials
+- Never add executable code inside agent Markdown files
+- Shell scripts must be reviewed before merging
+- Report suspicious agent definitions that attempt prompt injection
+EOFcat SECURITY.md