From 46f9ab2ee451dc2c7b33e1ace78fc3e8edb4e34c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fahreddin=20=C3=96zcan?=
 <88107904+fahreddinozcan@users.noreply.github.com>
Date: Mon, 1 Dec 2025 19:01:06 +0300
Subject: [PATCH] Revise security policy and supported versions (#1123)

Updated supported versions and reporting guidelines for vulnerabilities.
---
 SECURITY.md | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..2a16d1b
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,44 @@
+# Security Policy
+
+## Supported Versions
+
+The following versions of Context7 MCP are currently supported with security updates:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.0.x   | :white_check_mark: |
+
+We recommend always using the latest version (`@upstash/context7-mcp@latest`) to ensure you have the most recent security patches and features.
+
+## Reporting a Vulnerability
+
+We take the security of Context7 seriously. If you discover a security vulnerability, please report it responsibly.
+
+### How to Report
+
+- Please use GitHub's [private vulnerability reporting](https://github.com/upstash/context7/security/advisories/new) feature to submit your report
+- Alternatively, you can email security concerns to [context7@upstash.com](mailto:context7@upstash.com)
+
+### What to Include
+
+- A description of the vulnerability
+- Steps to reproduce the issue
+- Potential impact of the vulnerability
+- Any suggested fixes (optional)
+
+### What to Expect
+
+- **Initial Response**: We aim to acknowledge your report within 48 hours
+- **Status Updates**: You can expect updates on the progress every 5-7 business days
+- **Resolution Timeline**: We strive to resolve critical vulnerabilities within 30 days
+
+### After Reporting
+
+- If the vulnerability is accepted, we will work on a fix and coordinate disclosure with you
+- We will credit reporters in our release notes (unless you prefer to remain anonymous)
+- If the report is declined, we will provide an explanation
+
+### Please Do Not
+
+- Disclose the vulnerability publicly before we have addressed it
+- Exploit the vulnerability beyond what is necessary to demonstrate it