From 183c62da32494e987272f5966c558c2b1a550aa6 Mon Sep 17 00:00:00 2001
From: Anand Pant <anand@testcompare.ai>
Date: Thu, 26 Feb 2026 00:17:17 -0600
Subject: [PATCH] docs: add repository security policy

---
 SECURITY.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..6348465
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,30 @@
+# Security Policy
+
+## Reporting A Vulnerability
+
+Please do not open public issues for security problems.
+
+Use GitHub private vulnerability reporting:
+
+- Create a private advisory: `https://github.com/shpitdev/cable-intel/security/advisories/new`
+- Include repro steps, impact, and any known fix/workaround.
+
+If private advisory creation is unavailable for your access level, contact a maintainer directly and mark the message as `SECURITY`.
+
+## Scope
+
+This policy covers:
+
+- Source code in this repository
+- CI/CD workflows and repository automation
+- Credentials/secrets exposure risks tied to this repository
+
+## Response Targets
+
+- Initial triage: within 3 business days
+- Status update after validation: within 7 business days
+
+## Remediation
+
+Validated vulnerabilities are prioritized by impact and fixed as quickly as practical.
+When possible, fixes are released before public disclosure.