Create SECURITY.md

SECURITY.md

@@ -0,0 +1,45 @@
+# Security Policy
+
+As a U.S. Government agency, the General Services Administration (GSA) takes
+seriously our responsibility to protect the public's information, including
+financial and personal information, from unwarranted disclosure.
+
+## Reporting a Vulnerability
+
+Services operated by the U.S. General Services Administration (GSA)
+are covered by the **GSA Vulnerability Disclosure Program (VDP)**.
+
+See the [GSA Vulnerability Disclosure Policy](https://gsa.gov/vulnerability-disclosure-policy)
+at <https://www.gsa.gov/vulnerability-disclosure-policy> for details including:
+
+* How to submit a report if you believe you have discovered a vulnerability.
+* GSA's coordinated disclosure policy.
+* Information on how you may conduct security research on GSA developed
+  software and systems.
+* Important legal and policy guidance.
+
+### [Bug Bounties](https://hackerone.com/gsa_bbp)
+
+Certain GSA/TTS programs have bug bounties that are not discussed at the above link. If you find security issues for any of the following domains:
+
+* 18f.gov
+* cloud.gov
+* fedramp.gov
+* login.gov
+* search.gov
+* usa.gov
+* vote.gov
+
+you should also review the [GSA Bug Bounty program](https://hackerone.com/gsa_bbp) at <https://hackerone.com/gsa_bbp/> for a potential bounty.
+
+## Supported Versions
+
+Please note that only certain branches are supported with security updates.
+
+| Version (Branch) | Supported          |
+| ---------------- | ------------------ |
+| main             | :white_check_mark: |
+| other            | :x:                |
+
+When using this code or reporting vulnerabilities please only use supported
+versions.