From b07fcb718541c9764b4400970f97c96a48f3254f Mon Sep 17 00:00:00 2001
From: Massimiliano Pippi <mpippi@gmail.com>
Date: Fri, 2 Sep 2022 12:00:14 +0200
Subject: [PATCH] feat: add a security policy for Haystack (#3130)

* add the security policy

* Apply suggestions from code review

Co-authored-by: Agnieszka Marzec <97166305+agnieszka-m@users.noreply.github.com>

* include review feedback

Co-authored-by: Agnieszka Marzec <97166305+agnieszka-m@users.noreply.github.com>
---
 SECURITY.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..1d7370e79d
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,26 @@
+# Security Policy
+
+## Report a Vulnerability
+
+If you found a security vulnerability in Haystack, send a message to
+[security@deepset.ai](mailto:security@deepset.ai).
+
+In your message, please include:
+
+1. Reproducible steps to trigger the vulnerability.
+2. An explanation of what makes you think there is a vulnerability.
+3. Any information you may have on active exploitations of the vulnerability (zero-day).
+
+## Vulnerability Response
+
+We'll review your report within 5 business days and we will do a preliminary analysis
+to confirm that the vulnerability is plausible. Otherwise, we'll decline the report.
+
+We won't disclose any information you share with us but we'll use it to get the issue
+fixed or to coordinate a vendor response, as needed.
+
+We'll keep you updated of the status of the issue.
+
+Our goal is to disclose bugs as soon as possible once a user mitigation is available.
+Once we get a good understanding of the vulnerability, we'll set a disclosure date after
+consulting the author of the report and Haystack maintainers.