Create SECURITY.md

SECURITY.md

@@ -0,0 +1,49 @@
+# related-posts-for-wp's Security Policy
+
+Welcome and thanks for taking interest in related-posts-for-wp!
+
+We are mostly interested in reports by actual related-posts-for-wp users, but all high quality contributions are welcome.
+
+Please try your best to describe a clear and realistic impact for your report, and please don't open any public issues on GitHub or social media, we're doing our best to respond through huntr as quickly as we can.
+
+With that, good luck hacking us ;)
+
+## Supported Versions
+
+Please always test your found vulnerabilities against the latest version [master branch](https://github.com/barrykooij/related-posts-for-wp/tree/master). This is the only supported version.
+
+
+## Qualifying Vulnerabilities
+
+### Vulnerabilities we really care about 🫣
+- Remote command execution
+- SQL Injection
+- Authentication bypass
+- Privilege Escalation
+- Cross-site scripting (XSS)
+- Performing limited admin actions without authorization
+- CSRF
+
+### Vulnerabilities we accept 🙂
+
+- Open redirects
+-  Password brute-forcing that circumvents rate limiting
+
+
+
+## Non-Qualifying Vulnerabilities
+
+- Reports from automated tools or scanners
+- Theoretical attacks without proof of exploitability
+- Attacks that are the result of a third party library should be reported to the library maintainers
+- Social engineering
+- Reflected file download
+- Physical attacks
+- Weak SSL/TLS/SSH algorithms or protocols
+- Attacks involving physical access to a user’s device, or involving a device or network that’s already seriously compromised (eg man-in-the-middle).
+- The user attacks themselves
+
+
+## Reporting a Vulnerability
+
+Vulnerability can be reported via email to support@relatedpostsforwp.com or via [Huntr](https://huntr.dev/repos/barrykooij/related-posts-for-wp/)