added security.md

security.md

@@ -0,0 +1,19 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Security is of the highest importance and all security vulnerabilities or suspected security vulnerabilities should be reported to Thingsbpard privately,
+to minimize attacks against current users of Thingsboard before they are fixed. Vulnerabilities will be investigated and release as soon as possible.
+
+To report a vulnerability or a security-related issue, please email the private address security@thingsboard.io with the details of the vulnerability.
+Emails will be addressed within 3 business days, including a detailed plan to investigate the issue and any potential workarounds to perform in the meantime.
+Do not report non-security-impacting bugs through this channel. Use GitHub issues instead.
+
+**Proposed Email Content**
+Provide a descriptive subject line and in the body of the email include the following information:
+
+Basic identity information, such as your name and your affiliation or company.
+Detailed steps to reproduce the vulnerability (POC scripts, screenshots, and compressed packet captures are all helpful to us).
+Description of the effects of the vulnerability on Thingsboard and the related hardware and software configurations, so that the Thingsboarf Security Team can reproduce it.
+How the vulnerability affects Thingsboard usage and an estimation of the attack surface, if there is one.
+List other projects or dependencies that were used in conjunction with Thingsboard to produce the vulnerability.