From b9d555bfd8d396f56ca6e988ffcc546b3e9c486e Mon Sep 17 00:00:00 2001
From: Robert Lipe <robertlipe@users.noreply.github.com>
Date: Thu, 17 Mar 2022 00:31:30 -0500
Subject: [PATCH] Create SECURITY.md

---
 SECURITY.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..73592c49c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,25 @@
+# Security Policy
+
+We are in favor of it. :-)
+
+## Supported Versions
+
+Only the current shipping version and the development trunk are supported.
+
+## Reporting a Vulnerability
+
+File a bugreport at https://github.com/GPSBabel/gpsbabel/issues please.
+Include all steps necessary to reproduce.
+
+Hypotheticals like "If a bit in RAM is corrupted between this store and 
+this load" will be closed. We're a real product that deals in real issues
+only. 
+
+We are inherently reading untrusted input and often from untrusted
+sources, so running a file converter as root on your server is bad. Don't
+do that. If you insist on doing it, please run ulimit to minimize the 
+time and CPU load that can be used. An adversary can hand craft (or just
+plain have) a corrupt or malformed file and sending it to you might make
+GPSBabel loop forever. We try for that to not happen, but it's a necessary
+reality of our job. Our goal is a desktop user converting files that they
+control.