Create SECURITY.md

SECURITY.md

@@ -0,0 +1,33 @@
+# Security Policy
+
+## Supported Versions
+The following release lines are currently receiving active security updates and bug fixes:
+
+| Version  | Supported          |
+| -------- | ------------------ |
+| 3.15.x   | :white_check_mark: |
+| < 3.15.0 | :x:                |
+
+## Reporting a Vulnerability
+
+**DO NOT report vulnerabilities on the GitHub issue tracker.**
+GitHub is public and anyone can see the issues you post on the issue tracker, including people who would exploit vulnerabilities for their own gain.
+
+**WARNING: You may put live servers at risk by reporting a vulnerability on the GitHub issue tracker.**
+
+**Contact us** by sending an email to [**team@pmmp.io**](mailto:team@pmmp.io?subject=Security%20Vulnerability%20in%20PocketMine-MP). Include the following information:
+
+- Version of PocketMine-MP
+- Detailed description of the vulnerability (e.g. how to exploit it, what the effects are)
+
+Please note that we can't guarantee a reply to every email.
+
+## FAQ
+### Do you offer a bug bounty?
+No.
+
+### How soon can I expect a fix for a vulnerability I've reported?
+This depends on the nature of the problem. We can't provide any general ETA (nor would it be wise to provide one).
+In general, it depends on when developers have time to look into the problem, how complex the problem is to fix, and how many users it impacts.
+
+When a fix for a severe vulnerability is pushed, a patch release for the target version will usually be released within 24 hours so that users can update.