From 09e1bec9a3e8139c1ee6337d86de03039e031300 Mon Sep 17 00:00:00 2001
From: Tyler Koenig <tyler@lerkolabs.com>
Date: Sun, 24 May 2026 14:15:25 -0400
Subject: [PATCH] docs: add SECURITY.md with disclosure policy

---
 SECURITY.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..d0127fb
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you find a security issue, please email security@lerkolabs.com rather than opening a public issue.
+
+Include:
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+
+We'll acknowledge within 48 hours and aim to patch within 7 days for critical issues.
+
+## Scope
+
+- SSH server authentication
+- Cluster API authentication
+- Stored credentials (alert provider tokens)
+- Status page information leakage