Add security policy

Iproute2 security policy is minimal since the security
domain is controlled by the kernel. But it should be documented
before some new security related bug arises at some future time.

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644 (file)
index 0000000..d5a7775
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+The iproute2 suite of utilities is tightly coupled with the Linux
+kernel networking. Therefore the bug reporting process mirrors
+the Linux kernel. Most security problems reported related to
+iproute2 are really Linux kernel issues (a.k.a Shoot the messenger)
+and are best handled via
+[Linux Security Bugs](https://docs.kernel.org/process/security-bugs.html).
+
+For other issues please report bugs to netdev@vger.kernel.org
+and include an example script.
+
+## Supported Versions
+
+There are no official "Long Term Support" versions for iproute2.
+The iproute2 version matches the Linux kernel versions.
+There will be occasional maintenance releases for serious
+issues if found. Users who need support are encouraged
+to use the version of iproute2 found in major distributions.