docs: security policy

Author: sander

README.md

@@ -1,6 +1,6 @@
 # Noise for Kotlin
 
-This project contains example code for implementing [Noise](https://noiseprotocol.org) protocols based on Diffie-Hellman key agreement. It may evolve into a usable library. [Contact me](mailto:[email protected]) if you are interested in helping out to realize this.
+**Noise for Kotlin** contains example code for implementing [Noise](https://noiseprotocol.org) protocols based on Diffie-Hellman key agreement. It may evolve into a usable library. [Contact me](mailto:[email protected]) if you are interested in helping out to realize this.
 
 > **Warning**: Reasons why you **may not** use any of this code in production yet:
 >
@@ -32,3 +32,8 @@ Instead of `test`, use `jar` to create a JAR in `build/distributions`.
 - Support only Curve25519, ChaCha20-Poly1305, and SHA-256 to reduce the need to choose and since these are available on most platforms.
     - Consequence: it should be easy to use with [Kotlin Multiplatform](https://kotlinlang.org/docs/multiplatform.html)).
 - Use only Kotlin types and functions, and nothing directly from Java SE or libraries.
+
+## Related resources
+
+- [License](LICENSE.md)
+- [Security policy](SECURITY.md)

SECURITY.md

@@ -0,0 +1,11 @@
+# Security policy
+
+> **Warning**: Do not use this code in production. Expect vulnerabilities. See the [README](README.md) for details.
+
+## Supported versions
+
+Currently only snapshot versions are available. Any vulnerability should be mitigated in a next snapshot version.
+
+## Reporting a vulnerability
+
+Report vulnerabilities to [Sander](mailto:[email protected]) in private, mentioning the project name in the mail subject header. Indicate if and how you want to be identified when publishing about the vulnerability. Expect to get a response within 7 days, but usually within 48 hours, indicating whether the report is accepted. I make my best effort to share fixes for vulnerabilities and publish about the reports when appropriate.