From 3961c9ede42cc1986567dfb10eb5da4d88ae35c1 Mon Sep 17 00:00:00 2001
From: Aleksey Myasnikov <79263256394@ya.ru>
Date: Thu, 26 May 2022 16:41:22 +0300
Subject: [PATCH] Update SECURITY.md

---
 SECURITY.md | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 034e84803..e0086a4e3 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,21 +1,21 @@
 # Security Policy
 
-## Supported Versions
+## Reporting a Vulnerability
 
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
+We're extremely grateful for security researchers and users who report vulnerabilities they discovered in YDB. All reports are thoroughly investigated.
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
+To report a potential vulnerability in YDB please email details to [security@ydb.tech](mailto:security@ydb.tech).
 
-## Reporting a Vulnerability
+### When Should I Report a Vulnerability?
+
+- You think you discovered a potential security vulnerability in YDB
+- You are unsure how a vulnerability affects YDB
+
+## Security Vulnerability Response
+
+Each report is acknowledged and analyzed by YDB maintainers within 5 working days.
+We will keep the reporter informed about the issue progress.
 
-Use this section to tell people how to report a vulnerability.
+## Public Disclosure Timing
 
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+A public disclosure date is negotiated by YDB maintainers and the bug submitter. We prefer to fully disclose the bug as soon as possible once a mitigation is available for YDB users. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to 90 days. For a vulnerability with a straightforward mitigation, we expect report date to disclosure date to be on the order of 7 days.