@@ -0,0 +1,26 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest release of Matcha is supported with security updates.
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Matcha, please report it responsibly. **Do not open a public issue.**
+
+Email us at [us@floatpane.com](mailto:us@floatpane.com) with:
+
+- A description of the vulnerability
+- Steps to reproduce the issue
+- The potential impact
+- Any suggested fixes (optional)
+
+We will acknowledge your report within 48 hours and aim to provide a fix or mitigation plan within 7 days, depending on severity.
+
+## Scope
+
+This policy covers the Matcha codebase and its official releases. Third-party dependencies are outside our direct control, but we will work to address reported issues in dependencies as quickly as possible.
+
+## Disclosure
+
+We ask that you give us reasonable time to address the issue before disclosing it publicly. We are committed to crediting reporters in release notes (unless you prefer to remain anonymous).