init

SECURITY.md

@@ -0,0 +1,30 @@
+# Security Policy
+
+VPN Share handles user network traffic. Security issues should be treated as
+high priority even before the first stable release.
+
+## Reporting
+
+Report vulnerabilities privately to the maintainers. Do not open public issues
+for exploitable bugs until a fix is available.
+
+## Scope
+
+In scope:
+
+- Authentication bypass.
+- Traffic decryption or tampering.
+- DNS or traffic leaks.
+- Peer isolation failures.
+- Unsafe packet parser behavior.
+- Sensitive data logging.
+
+Out of scope:
+
+- Denial of service requiring physical access and no persistence.
+- Bugs in third-party VPN applications.
+
+## Disclosure Target
+
+Maintainers should acknowledge reports within 7 days and publish a fix timeline
+based on severity.