From a72284b499c6ac261645991b3cefc603840c639e Mon Sep 17 00:00:00 2001
From: Daniel Sogl <me@danielsogl.de>
Date: Sat, 21 Mar 2026 17:14:59 -0700
Subject: [PATCH] docs: add security policy for vulnerability reporting

---
 SECURITY.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..ac18ec9e2
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,28 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Awesome Cordova Plugins, please report it responsibly.
+
+**Do not open a public GitHub issue for security vulnerabilities.**
+
+Instead, please send an email to the maintainer or use [GitHub's private vulnerability reporting](https://github.com/danielsogl/awesome-cordova-plugins/security/advisories/new).
+
+### What to include
+
+- Description of the vulnerability
+- Steps to reproduce
+- Affected versions
+- Potential impact
+
+### Response
+
+You can expect an initial response within 72 hours. We will work with you to understand the issue and coordinate a fix before any public disclosure.
+
+## Scope
+
+This policy covers the `@awesome-cordova-plugins/*` TypeScript wrapper packages. For vulnerabilities in the underlying Cordova plugins themselves, please report to the respective plugin maintainers.
+
+## Supported Versions
+
+Only the latest major version receives security updates.