From 1d31d5f09ce767019125d468e8c1b6d7a4ef7a71 Mon Sep 17 00:00:00 2001
From: Daniela Plascencia <daniela.plascencia@canonical.com>
Date: Mon, 7 Oct 2024 14:17:20 +0200
Subject: [PATCH] docs: add SECURITY.md to the repository (#278)

* docs: add SECURITY.md to the repository

This commit adds the SECURITY.md file to expose the security policy of the CMLflow
project, as well as inform users how they can report security/vulnerability issues.

Fixes #270
---
 SECURITY.md | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..3374e9d2
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,10 @@
+# Security policy
+
+## Supported Versions
+
+The Charmed MLflow project releases with a cadence of ~6 months, supports two minor versions of MLflow, and keeps up to date with the latest upstream version. Whenever a new version of Charmed MLflow is released, the oldest version is dropped from support.
+
+## Reporting a Vulnerability
+
+To report a security issue, file a [Private Security Report](https://github.com/canonical/mlflow-operator/security/advisories/new) with a description of the issue, the steps you took that led you to the issue, affected versions, and, if known, mitigations for the issue.
+The [Ubuntu Security disclosure and embargo policy](https://ubuntu.com/security/disclosure-policy) contains more information about what you can expect when you contact us and what we expect from you.