Revise security policy and supported versions (#1123)

fahreddinozcan · web-flow · commit 46f9ab2ee451 · 2025-12-01T19:01:06.000+03:00
Updated supported versions and reporting guidelines for vulnerabilities.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,44 @@
+# Security Policy
+
+## Supported Versions
+
+The following versions of Context7 MCP are currently supported with security updates:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.0.x   | :white_check_mark: |
+
+We recommend always using the latest version (`@upstash/context7-mcp@latest`) to ensure you have the most recent security patches and features.
+
+## Reporting a Vulnerability
+
+We take the security of Context7 seriously. If you discover a security vulnerability, please report it responsibly.
+
+### How to Report
+
+- Please use GitHub's [private vulnerability reporting](https://github.com/upstash/context7/security/advisories/new) feature to submit your report
+- Alternatively, you can email security concerns to [context7@upstash.com](mailto:context7@upstash.com)
+
+### What to Include
+
+- A description of the vulnerability
+- Steps to reproduce the issue
+- Potential impact of the vulnerability
+- Any suggested fixes (optional)
+
+### What to Expect
+
+- **Initial Response**: We aim to acknowledge your report within 48 hours
+- **Status Updates**: You can expect updates on the progress every 5-7 business days
+- **Resolution Timeline**: We strive to resolve critical vulnerabilities within 30 days
+
+### After Reporting
+
+- If the vulnerability is accepted, we will work on a fix and coordinate disclosure with you
+- We will credit reporters in our release notes (unless you prefer to remain anonymous)
+- If the report is declined, we will provide an explanation
+
+### Please Do Not
+
+- Disclose the vulnerability publicly before we have addressed it
+- Exploit the vulnerability beyond what is necessary to demonstrate it
