From 3ff0668bf4565e7f8ea4b843474ddb49cce46fed Mon Sep 17 00:00:00 2001
From: Phil Pennock <pdp@exim.org>
Date: Wed, 19 Jun 2019 15:37:19 -0400
Subject: [PATCH] Add a security page in a place where GitHub will detect it

---
 SECURITY.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..5580a8cfc
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,30 @@
+# Security Policy
+
+## Supported Versions
+
+We are an open source project with no corporate sponsor and no formal
+"support".  In practice, we support the latest released version and work with
+OS vendors to make it easy for them to backport fixes for their distributed
+packages.  For some security issues, we will issue a patch-release which has
+just a simple fix.
+
+We also often have `exim_VERSION+fixes` branches with small things which we
+recommend that vendors use.
+
+For postmasters installing Exim manually, we recommend always using the latest
+released tarball.
+
+## Reporting a Vulnerability
+
+Our security page is at <https://wiki.exim.org/EximSecurity>.
+It contains the current contact point and list of PGP keys to use for
+encrypting particularly sensitive information.
+This also links to our documentation and the chapter on security
+considerations.
+
+Our security release process is at
+<https://wiki.exim.org/SecurityReleaseProcess>.
+This covers what we do in handling vulnerability reports.
+
+We have no bug bounty program of our own; we're far too disparate a group of
+volunteers for such things.
-- 
2.25.1