From 53adbde4c46bdf199d2ef91cce7994209a14ae00 Mon Sep 17 00:00:00 2001
From: Jussi Nummelin <jnummelin@users.noreply.github.com>
Date: Tue, 7 Jan 2025 15:57:09 +0200
Subject: [PATCH] Document vulnerability reporting process

Signed-off-by: Jussi Nummelin <jnummelin@users.noreply.github.com>
---
 SECURITY.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000000..dffa96a4e08a
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,22 @@
+# Security Policy
+
+## Supported Versions
+
+Following versions are supported and maintained:
+
+| Version   | Supported          |
+|-----------|--------------------|
+| v1.31.x   | :white_check_mark: |
+| v1.30.x   | :white_check_mark: |
+| v1.29.x   | :white_check_mark: |
+| < v1.29.x | :x:                |
+
+## Reporting a Vulnerability
+
+k0s supports responsible disclosure and endeavors to resolve security issues in a reasonable timeframe.
+
+To report a security vulnerability, you can use Github [private security reporting] feature under the [Security tab].
+That allows the reporter and maintainers to coordinate the disclosure and the fix before public disclosure.
+
+[Security tab]: https://github.com/k0sproject/k0s/security
+[private security reporting]: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability