From e0a02f36f1df55effca9eb142540d4efe89bbf93 Mon Sep 17 00:00:00 2001
From: Kristjan ESPERANTO <35647502+KristjanESPERANTO@users.noreply.github.com>
Date: Mon, 30 Mar 2026 23:12:40 +0200
Subject: [PATCH] docs: add security policy and vulnerability reporting
 guidelines

---
 .github/SECURITY.md | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 .github/SECURITY.md

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 0000000000..f58390678b
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy
+
+## Scope and Deployment
+
+MagicMirror is primarily intended for trusted local/private network environments.
+Direct public exposure to the internet or other untrusted networks is not recommended.
+
+We take security seriously and encourage responsible disclosure of vulnerabilities to help us improve the software.
+
+## Reporting a Vulnerability
+
+**Please keep vulnerability details private** — do not post them in public GitHub issues.
+
+Instead, reach out privately via the MagicMirror forum to one of the core developers:
+
+- [rejas](https://forum.magicmirror.builders/user/rejas)
+- [karsten13](https://forum.magicmirror.builders/user/karsten13)
+- [sdetweil](https://forum.magicmirror.builders/user/sdetweil)
+- [Kristjan](https://forum.magicmirror.builders/user/kristjanesperanto)
+
+Please include, if possible:
+
+- Affected version(s)
+- Reproduction steps or proof-of-concept
+- What could an attacker do with this?
+- Any ideas how to fix it?
+
+## Coordinated Disclosure
+
+We will keep reported vulnerabilities private until a fix is available and coordinate the disclosure timeline with you.
+We aim to respond as quickly as possible.