SECURITY.md explained

What is SECURITY.md?

SECURITY.md is a Markdown file that tells people how to report a security vulnerability in your project and what your security policy is.

Jun 13, 2026 · 6 min read

SECURITY.md meaning

`SECURITY.md` is a community health file that documents a project's security policy. Its main job is to give security researchers a clear, private way to report a vulnerability instead of opening a public issue. On GitHub, when a SECURITY.md is present, the platform surfaces a "Report a vulnerability" path and links to the file from the Security tab, so reporters find it at the right moment.

Where SECURITY.md lives

Place it where GitHub looks for community health files: the repository root, a `.github` folder, or a `docs` folder.

.github/
  SECURITY.md
# or
SECURITY.md            # repo root
docs/
  SECURITY.md

A single SECURITY.md can also live in a special `.github` repository to apply across an entire organization.

What to include

Which versions are supported with security updates
How to report a vulnerability privately (email or a security advisory link)
What information to include in a report
Expected response time and disclosure process
Any scope, safe-harbor, or out-of-scope notes

A short SECURITY.md example

# Security Policy

## Supported versions
| Version | Supported |
| ------- | --------- |
| 1.x     | Yes       |
| < 1.0  | No        |

## Reporting a vulnerability
Email security@example.com. Do not open a
public issue. We respond within 3 business days.

Why SECURITY.md matters

A clear security policy means vulnerabilities are reported responsibly and privately, not disclosed in public where they can be exploited. It sets expectations for both sides, builds trust with users and researchers, and is a basic signal of a mature, well-maintained project. For many compliance checks, a SECURITY.md is the expected place to find this information.

How AI tools use SECURITY.md

AI coding agents read SECURITY.md to learn the reporting process and supported-version policy before suggesting security-related changes or writing disclosure text. It complements operational files like CONTRIBUTING.md and project context in the README.md. Together these community health files give both people and agents a complete picture of how the project is run.

Edit SECURITY.md with a preview

Security policies use headings, tables, and links, so a preview helps. Draft SECURITY.md in the Markdown Docs online editor, or download Markdown Docs to edit it on Windows. See more common .md files for AI projects.

Related references

GitHub Docs: adding a security policy official SECURITY.md guidance.

FAQ

Where should SECURITY.md be placed?

Put it in the repository root, a .github folder, or a docs folder. GitHub then links to it from the Security tab and the report-a-vulnerability flow.

What goes in SECURITY.md?

Supported versions, how to report a vulnerability privately, what to include in a report, response time, and the disclosure process.

Why not report bugs in a public issue?

Public reports expose a vulnerability before it is fixed. SECURITY.md gives a private channel so issues are handled responsibly.

Is SECURITY.md required?

It is not required, but it is strongly recommended. It is a standard community health file and a signal of a well-maintained project.