From 9a343353b2aebcc80bd32661f5325e87d1eff48a Mon Sep 17 00:00:00 2001
From: "Justin (shocknet)" <34176400+shocknet-justin@users.noreply.github.com>
Date: Sat, 13 Jul 2024 16:17:43 -0400
Subject: [PATCH] Create SECURITY.md

---
 SECURITY.md | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..1701b0b8
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,49 @@
+# Security Policy
+
+## Reporting a Security Bug
+
+The ShockNet team and our open-source community take all security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+
+To report a security issue, please use the GitHub Security Advisory "Report a Vulnerability" feature on our repository page.
+
+Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
+
+## Responsible Disclosure Guidelines
+
+We request that you:
+
+1. Allow us a reasonable amount of time to fix the issue before disclosing it publicly.
+2. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of any services.
+3. Only interact with accounts you own or with explicit permission of the account holder.
+4. Do not exploit the vulnerability beyond the minimum amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
+
+## Scope
+
+This security policy applies to all ShockNet repositories.
+
+## Handling of Vulnerability Reports
+
+1. The security team will acknowledge receipt of your report within 3 business days.
+2. We will send a more detailed response within 7 days indicating the next steps in handling your report.
+3. We will keep you informed about the progress towards a fix and full announcement.
+4. We may ask for additional information or guidance.
+
+## Bug Bounty Program
+
+Due to griefing attacks we do not officially offer a paid bug bounty program. 
+
+We may offer a bounty for critical vulnerabilities on a case-by-case basis, payable in Bitcoin. Determining whether a vulnerability qualifies and the amount of the bounty is at our sole discretion.
+
+We are deeply grateful to security researchers who take the time to investigate and report security vulnerabilities to stengthen the Bitcoin ecosystem.
+
+## Safe Harbor
+
+We support safe harbor for security researchers who:
+
+1. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
+2. Only exploit vulnerabilities to the extent necessary to confirm them.
+3. Do not use an exploit to compromise or exfiltrate user data.
+4. Cease testing and submit a report immediately upon discovery of a vulnerability.
+5. Do not publish or share vulnerabilities or associated details other than with the ShockNet team until the team has had a reasonable time to address them.
+
+Thank you for helping keep our users safe!