security: add SECURITY.md

.github/SECURITY.md

@@ -0,0 +1,27 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+We take the security of our services and the privacy of our users' data very seriously. If you have discovered a security vulnerability, we appreciate your help in disclosing it to us responsibly.
+
+**Please do not report security vulnerabilities through public GitHub issues or public forums.**
+
+### How to Report
+Please choose the path that best fits your intent:
+
+* **Responsible Disclosure:** If you have identified a security vulnerability, please email **[security@mixpanel.com](mailto:security@mixpanel.com)**.
+    * *Note:* Your report will be routed to our internal ticketing system. We will acknowledge receipt of your findings. Please be advised that we do not maintain ongoing communication regarding the status of reports unless we have specific follow-up questions.
+
+* **Bug Bounty Program:** If you are a security researcher interested in participating in our private bug bounty program, please email **[bugbounty@mixpanel.com](mailto:bugbounty@mixpanel.com)** to request onboarding instructions.
+    * *Note:* Participation in our private program is subject to eligibility requirements, including a verification process to ensure researchers are in good standing on the [HackerOne](https://www.hackerone.com/) platform.
+
+### What to Include in Your Report
+To help us triage the issue effectively, please include:
+* **Summary:** A clear description of the vulnerability.
+* **Environment:** The affected service, SDK, or repository.
+* **Reproduction Steps:** Step-by-step instructions to reproduce the issue.
+* **Impact:** A description of the potential risk.
+* **Remediation Suggestions:** Any specific recommendations you have for mitigating or fixing the vulnerability.
+
+### Supported Versions
+We are committed to securing our latest stable releases. We recommend all users keep their implementations updated to the most current version to ensure they have the latest security patches.