From 2dd9d1f27a01c466cbbc5e1b7be0547b3b061e88 Mon Sep 17 00:00:00 2001
From: Yinan Qin <a.elysia@proton.me>
Date: Sat, 31 Jan 2026 23:19:54 +0800
Subject: [PATCH] docs: Enhance SECURITY.md with bilingual support and details

Updated the security policy to include both English and Chinese versions, detailing supported versions and vulnerability reporting guidelines.
---
 SECURITY.md | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..d3c22ef9
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,71 @@
+# Security Policy / 安全策略
+
+---
+
+## 🌐 English Version
+
+### Supported Versions
+The following versions currently receive security updates:
+
+| Version | Supported          |
+|---------|--------------------|
+| > 1.0.4   | :white_check_mark: |
+| < 1.0.4   | :x:                |
+
+> **Note**: Only versions marked with ✅ receive security patches. Upgrade to a supported version immediately if using an unsupported release.
+
+### Reporting a Vulnerability
+We deeply appreciate your efforts to responsibly disclose security issues. Please follow these guidelines:
+
+#### 📬 How to Report
+- **Preferred**: Use GitHub's [Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities)
+
+#### 📋 Report Should Include
+- Clear description of the vulnerability and potential impact
+- Affected component/version
+- Steps to reproduce (PoC code appreciated but optional)
+- Suggested mitigation (if known)
+- Contact information and preferred disclosure timeline
+
+#### ⚠️ Important Notes
+- **DO NOT** disclose publicly before coordination
+- Avoid intrusive testing (e.g., data exfiltration, DoS)
+- We comply with [ISO/IEC 29147](https://www.iso.org/standard/45173.html) vulnerability disclosure standards
+- Good-faith researchers acting responsibly will not face legal action
+
+Thank you for helping keep our community safe! 🛡️
+
+---
+
+## 🇨🇳 中文版本
+
+### 支持的版本
+以下版本当前接收安全更新：
+
+| 版本   | 是否支持          |
+|--------|-------------------|
+| > 1.0.4   | :white_check_mark: |
+| < 1.0.4   | :x:                |
+
+> **提示**：仅标记 ✅ 的版本接收安全补丁。如使用不受支持的版本，请立即升级至受支持版本。
+
+### 漏洞报告流程
+感谢您负责任地披露安全问题。请遵循以下指南：
+
+#### 📬 报告方式
+- **首选**：使用 GitHub [私有漏洞报告](https://docs.github.com/zh/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities) 功能
+
+#### 📋 报告内容建议包含
+- 漏洞清晰描述及潜在影响
+- 受影响组件/版本
+- 复现步骤（提供验证代码更佳，非必需）
+- 建议的缓解措施（如已知）
+- 联系方式及期望的披露时间
+
+#### ⚠️ 重要提示
+- 修复完成前**请勿公开披露**
+- 避免侵入性测试（如数据窃取、拒绝服务攻击）
+- 本流程遵循 [ISO/IEC 29147](https://www.iso.org/standard/45173.html) 漏洞披露国际标准
+- 本着善意负责任研究的安全研究员将不会面临法律追责
+
+感谢您为社区安全贡献力量！🛡️