From efb6a032c8db1fc8d4ab9da702f99745d7949a1f Mon Sep 17 00:00:00 2001
From: Thad Guidry <thadguidry@gmail.com>
Date: Wed, 3 Mar 2021 04:33:21 -0600
Subject: [PATCH] Add Security Policy on how we handle reports (#3405)

* Add Security Policy on how we handle reports

* Update SECURITY.md

Co-authored-by: Antonin Delpeuch <antonin@delpeuch.eu>

* Add note about privately reporting

...to the openrefine-coredev@googlegroups.com mailing list
Note, mailing list group is private already but does indeed allow outside persons to email to us.
** Group members - can post but posts from new members will be held for moderation.

Co-authored-by: Antonin Delpeuch <antonin@delpeuch.eu>
---
 SECURITY.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..385ead408
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,18 @@
+# OpenRefine Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 3.4.x   | :white_check_mark: |
+| <= 3.3   | :x:                |
+
+## Reporting a Vulnerability
+
+You can privately report a vulnerability to us by sending a report to this private mailing list [mailto:openrefine-coredev@googlegroups.com](mailto:openrefine-coredev@googlegroups.com)
+
+Our core team will try their best to fix any valid vulnerability that is reported to them.
+
+Keep in mind that OpenRefine is designed to run locally on a users PC, while also making network calls across the internet only upon a users choice or command.
+
+As such, certain vulnerabilities might not apply to OpenRefine's design.