From d43714aac97110f059c3e72ec86d5050369ebcdd Mon Sep 17 00:00:00 2001
From: Scot Matson <4695187+scotmatson@users.noreply.github.com>
Date: Mon, 18 May 2026 22:03:49 +0000
Subject: [PATCH] security: add SECURITY.md vulnerability disclosure policy

---
 .github/SECURITY.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 .github/SECURITY.md

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 0000000..eb5cdfc
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,27 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+We take the security of our services and the privacy of our users' data very seriously. If you have discovered a security vulnerability, we appreciate your help in disclosing it to us responsibly.
+
+**Please do not report security vulnerabilities through public GitHub issues or public forums.**
+
+### How to Report
+Please choose the path that best fits your intent:
+
+* **Responsible Disclosure:** If you have identified a security vulnerability, please email **[security@mixpanel.com](mailto:security@mixpanel.com)**.
+    * *Note:* Your report will be routed to our internal ticketing system. We will acknowledge receipt of your findings. Please be advised that we do not maintain ongoing communication regarding the status of reports unless we have specific follow-up questions.
+
+* **Bug Bounty Program:** If you are a security researcher interested in participating in our private bug bounty program, please email **[bugbounty@mixpanel.com](mailto:bugbounty@mixpanel.com)** to request onboarding instructions.
+    * *Note:* Participation in our private program is subject to eligibility requirements, including a verification process to ensure researchers are in good standing on the [HackerOne](https://www.hackerone.com/) platform.
+
+### What to Include in Your Report
+To help us triage the issue effectively, please include:
+* **Summary:** A clear description of the vulnerability.
+* **Environment:** The affected service, SDK, or repository.
+* **Reproduction Steps:** Step-by-step instructions to reproduce the issue.
+* **Impact:** A description of the potential risk.
+* **Remediation Suggestions:** Any specific recommendations you have for mitigating or fixing the vulnerability.
+
+### Supported Versions
+We are committed to securing our latest stable releases. We recommend all users keep their implementations updated to the most current version to ensure they have the latest security patches.