From d69435c97cf26767ca3f6a53cdf5f45a51f4c463 Mon Sep 17 00:00:00 2001
From: Steven <stevenlgtm@gmail.com>
Date: Fri, 21 Nov 2025 09:13:40 +0800
Subject: [PATCH] chore(docs): update security policy to prevent public
 vulnerability disclosure

- Direct security reports to email only instead of public GitHub issues
- Set clear expectations: no CVEs during beta (v0.x) phase
- Add security best practices for self-hosted deployments
- Plan formal vulnerability disclosure program for v1.0+

Addresses #5255
---
 SECURITY.md | 45 ++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 42 insertions(+), 3 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 48ab17ab2..0e28fae28 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,7 +1,46 @@
 # Security Policy
 
-## Reporting a bug
+## Project Status
 
-Report security bugs via GitHub [issues](https://github.com/usememos/memos/issues).
+Memos is currently in beta (v0.x). While we take security seriously, we are not yet ready for formal CVE assignments or coordinated disclosure programs.
 
-For more information, please contact [usememos@gmail.com](usememos@gmail.com).
+## Reporting Security Issues
+
+### For All Security Concerns:
+Please report via **email only**: usememos@gmail.com
+
+**DO NOT open public GitHub issues for security vulnerabilities.**
+
+Include in your report:
+- Description of the issue
+- Steps to reproduce
+- Affected versions
+- Your assessment of severity
+
+### What to Expect:
+- We will acknowledge your report as soon as we can
+- Fixes will be included in regular releases without special security advisories
+- No CVEs will be assigned during the beta phase
+- Credit will be given in release notes if you wish
+
+### For Non-Security Bugs:
+Use GitHub issues for functionality bugs, feature requests, and general questions.
+
+## Philosophy
+
+As a beta project, we prioritize:
+1. **Rapid iteration** over lengthy disclosure timelines
+2. **Quick patches** over formal security processes
+3. **Transparency** about our beta status
+
+We plan to implement formal vulnerability disclosure and CVE handling after reaching v1.0 stable.
+
+## Self-Hosting Security
+
+Since Memos is self-hosted software:
+- Keep your instance updated to the latest release
+- Don't expose your instance directly to the internet without authentication
+- Use reverse proxies (nginx, Caddy) with rate limiting
+- Review the deployment documentation for security best practices
+
+Thank you for helping improve Memos!