Create SECURITY.md

[Danielpeter-99]

Summary by Sourcery

Documentation:

• Introduce SECURITY.md outlining supported versions, vulnerability reporting procedures, security best practices, responsible disclosure policy, core security features, and licensing for contributions

[sourcery-ai]

Reviewer's Guide

Adds a new SECURITY.md file establishing the project's security policy, vulnerability reporting procedures, best practices, and licensing terms for security contributions.

File-Level Changes

Change	Details	Files
Introduce SECURITY.md with comprehensive security policy	Add Supported Versions overview Define private vulnerability reporting process Document Security Best Practices guidelines Outline Responsible Disclosure timeline List built-in Project Security Features Specify Apache 2.0 license for security contributions	SECURITY.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @Danielpeter-99 - I've reviewed your changes - here's some feedback:

• Consider adding an expected response and fix timeline (e.g. 72 hours acknowledgement, 30 days to remediation) to set clear expectations for reporters.
• You may want to include a PGP/GPG public key or other encryption method so that vulnerability reports can be submitted securely.
• It could be helpful to define severity levels or CVSS scoring to clarify how reports will be prioritized and handled.

Here's what I looked at during the review

• 🟡 General issues: 2 issues found
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion: Consider adding guidance on how users can find the latest version or updates.

You might reference GitHub Releases or a security announcements channel to direct users to update information.

Suggested change

	We aim to support the latest stable release of Evo AI and apply security updates as soon as possible. Please use the most recent version for the best security.
	---
	We aim to support the latest stable release of Evo AI and apply security updates as soon as possible. Please use the most recent version for the best security.
	To find the latest version and release notes, visit our [GitHub Releases page](https://github.com/your-org/evo-ai/releases). For important security announcements, please watch the repository or subscribe to our security advisories.
	---

[sourcery-ai]

🚨 suggestion (security): Consider adding 'Affected version(s)' to the list of details for vulnerability reports.

Requesting affected version(s) helps with triage and reproduction of security issues, leading to higher quality reports.

Suggested change

	- Include as much detail as possible, including:
	- Steps to reproduce the issue
	- Potential impact
	- Your suggestions (if any) for remediation
	- Include as much detail as possible, including:
	- Affected version(s)
	- Steps to reproduce the issue
	- Potential impact
	- Your suggestions (if any) for remediation

[sourcery-ai]

suggestion: Consider defining or giving an example of 'reasonable time' for disclosure.

Specifying a typical timeframe (e.g., 'usually 90 days, adjustable based on circumstances') would clarify expectations for reporters.

Suggested change

	## Responsible Disclosure
	## Responsible Disclosure
	Please give us a reasonable time to investigate and address any reported security issues before any public disclosure. A reasonable time is typically **90 days** from the initial report, but may be adjusted based on the complexity or severity of the issue. We will keep you informed of our progress and coordinate disclosure timelines as needed.