sybrenstuvel · sybrenstuvel · Nov 1, 2023 · Sep 7, 2023 · Sep 7, 2023
diff --git a/README.md b/README.md
@@ -26,6 +26,8 @@ licensed under the [Apache License, version 2.0](https://www.apache.org/licenses
 
 Because of how Python internally stores numbers, it is very hard (if not impossible) to make a pure-Python program secure against timing attacks. This library is no exception, so use it with care. See https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/ for more info.
 
+For instructions on how to best report security issues, see our [Security Policy](https://github.com/sybrenstuvel/python-rsa/blob/main/SECURITY.md).
+
 ## Setup of Development Environment
 
 ```

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,13 @@
+# Security Policy
+
+## Supported Versions
+
+Security updates are applied only to the latest release.
+
+## Reporting a Vulnerability
+
+If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.
+
+Please disclose it by email to <sybren@stuvel.eu>.
+
+This project is maintained by a team of volunteers on a reasonable-effort basis. As such, vulnerabilities will be handled and/or disclosed in a best effort base.
-Original file line number
+Diff line change
@@ Expand Up @@
     Because of how Python internally stores numbers, it is very hard (if not impossible) to make a pure-Python program secure against timing attacks. This library is no exception, so use it with care. See https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/ for more info.
+    For instructions on how to best report security issues, see our [Security Policy](https://github.com/sybrenstuvel/python-rsa/blob/main/SECURITY.md).
     ## Setup of Development Environment
     ```
@@ Expand Down @@