From cc547b56b6c6c16ade95fc1a07cebdbf90591d4c Mon Sep 17 00:00:00 2001
From: Hrishi <hrishi.kb@gmail.com>
Date: Sun, 3 May 2026 11:52:07 +0530
Subject: [PATCH] docs: add SECURITY.md with vulnerability reporting policy

---
 SECURITY.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..bd922f0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,25 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Scriptty, please report it
+privately so it can be fixed before public disclosure.
+
+**Preferred:** use GitHub's [private vulnerability reporting](https://github.com/stultus/scriptty/security/advisories/new).
+
+**Alternative:** email the maintainer at hrishi.kb@gmail.com with a
+description, reproduction steps, and impact assessment.
+
+You should expect an initial response within 7 days. Please do not file
+public issues for security problems.
+
+## Scope
+
+In scope:
+- The Scriptty desktop application (Tauri shell, SvelteKit UI, Typst
+  rendering pipeline)
+- The release / build workflows under `.github/workflows`
+
+Out of scope:
+- Third-party dependencies (report upstream and notify us)
+- Content within user-authored screenplays