From de458b735762ab12a66e92807ddc47345cdb44d0 Mon Sep 17 00:00:00 2001
From: Ludovic Fernandez <ldez@users.noreply.github.com>
Date: Wed, 29 Jul 2020 12:42:03 +0200
Subject: [PATCH] doc: add security policies.

---
 README.md   |  2 +-
 SECURITY.md | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index 628c5c303..b74613d6f 100644
--- a/README.md
+++ b/README.md
@@ -137,7 +137,7 @@ By participating in this project, you agree to abide by its terms.
 
 ## Release Cycle
 
-- We release a new version (e.g. 1.1.0, 1.2.0, 1.3.0) every other month.
+- We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
 - Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
 - Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).
 
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..cad069c72
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+We strongly advise you to register your Traefik instances to [Pilot](http://pilot.traefik.io) to be notified of security advisories that apply to your Traefik version.
+You can also join our security mailing list to be aware of the latest announcements from our security team.
+You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+
+Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
+
+## Supported Versions
+
+- We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
+- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
+- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).
+
+Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out).
+
+We use [Semantic Versioning](https://semver.org/).
+
+| Version   | Supported          |
+| --------- | ------------------ |
+| `2.2.x`   | :white_check_mark: |
+| `< 2.2.x` | :x:                |
+| `1.7.x`   | :white_check_mark: |
+| `< 1.7.x` | :x:                |
+
+## Reporting a Vulnerability
+
+We want to keep Traefik safe for everyone.
+If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, using [this form](https://security.traefik.io).