Security policy

docs/SECURITY.md

@@ -0,0 +1,34 @@
+<!--
+This is a default security policy that applies to the entire testdouble organization.
+It may be overridden by a repo-specific security policy.
+https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file
+-->
+
+# Security Policy 🛡️
+
+## ✅ Supported Versions
+
+Only the greatest published version (according to SemVer) will be supported.
+This version will be indicated as the "Latest Release" on GitHub Releases. :octocat:
+
+## ⚠️ Reporting a Vulnerability
+
+Use GitHub's built-in reporting mechanism for disclosure.
+Go to the Security tab -> Report a vulnerability.
+
+<!-- TODO
+
+We should add some references here to maintainer security.
+- requiring maintainers to have MFA set up
+- preferring Trusted Publishing for platforms that support it
+- + a docs link: https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/
+
+- perhaps some references to securing github actions
+- https://docs.github.com/en/actions/reference/security/secure-use
+- GHA security with linters like https://github.com/zizmorcore/zizmor
+- hardening runners with: https://github.com/step-security/harden-runner
+- Enabling dependabot (both version and security alerts)
+- Enabling code security scanning: https://github.com/testdouble/.github/security
+
+
+-->