docs/content/code-security/getting-started/adding-a-security-policy-to-your-repository.md

title, intro, redirect_from, versions, type, topics, shortTitle

title	intro	redirect_from	versions	type	topics	shortTitle
Adding a security policy to your repository	You can give instructions for how to report a security vulnerability in your project by adding a security policy to your repository.	/articles/adding-a-security-policy-to-your-repository /github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository /github/code-security/security-advisories/adding-a-security-policy-to-your-repository	fpt ghes ghae ghec * * * *	how_to	Security policies Vulnerabilities Repositories Health	Add a security policy

About security policies

To give people instructions for reporting security vulnerabilities in your project,{% ifversion fpt or ghes or ghec %} you can add a SECURITY.md file to your repository's root, docs, or .github folder.{% else %} you can add a SECURITY.md file to your repository's root, or docs folder.{% endif %} When someone creates an issue in your repository, they will see a link to your project's security policy.

{% ifversion not ghae %}

You can create a default security policy for your organization or user account. For more information, see "Creating a default community health file." {% endif %}

{% tip %}

Tip: To help people find your security policy, you can link to your SECURITY.md file from other places in your repository, such as your README file. For more information, see "About READMEs."

{% endtip %}

{% ifversion fpt or ghec %} After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}, see "About coordinated disclosure of security vulnerabilities." For more information about {% data variables.product.prodname_security_advisories %}, see "About {% data variables.product.prodname_security_advisories %}."

{% data reusables.repositories.github-security-lab %} {% endif %} {% ifversion ghes or ghae %}

By making security reporting instructions clearly available, you make it easy for your users to report any security vulnerabilities they find in your repository using your preferred communication channel. {% endif %}

Adding a security policy to your repository

{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} 3. In the left sidebar, click Security policy. 4. Click Start setup. 5. In the new SECURITY.md file, add information about supported versions of your project and how to report a vulnerability. {% data reusables.files.write_commit_message %} {% data reusables.files.choose-commit-email %} {% data reusables.files.choose_commit_branch %} {% data reusables.files.propose_file_change %}

Further reading

• "Securing your repository"{% ifversion not ghae %}
• "Setting up your project for healthy contributions"{% endif %}{% ifversion fpt or ghec %}
• [{% data variables.product.prodname_security %}]({% data variables.product.prodname_security_link %}){% endif %}