From 015d8e7fb877550e859fda28986816fca1777dd8 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen@networkplumber.org>
Date: Fri, 29 Sep 2023 16:03:07 -0700
Subject: [PATCH] Add security policy

Iproute2 security policy is minimal since the security
domain is controlled by the kernel. But it should be documented
before some new security related bug arises at some future time.

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 SECURITY.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..d5a7775f
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+The iproute2 suite of utilities is tightly coupled with the Linux
+kernel networking. Therefore the bug reporting process mirrors
+the Linux kernel. Most security problems reported related to
+iproute2 are really Linux kernel issues (a.k.a Shoot the messenger)
+and are best handled via
+[Linux Security Bugs](https://docs.kernel.org/process/security-bugs.html).
+
+For other issues please report bugs to netdev@vger.kernel.org
+and include an example script.
+
+## Supported Versions
+
+There are no official "Long Term Support" versions for iproute2.
+The iproute2 version matches the Linux kernel versions.
+There will be occasional maintenance releases for serious
+issues if found. Users who need support are encouraged
+to use the version of iproute2 found in major distributions.