From 5673f1314a2af979590c2803a63da9066d1ecf9f Mon Sep 17 00:00:00 2001
From: Mark Atwood <mark@reviewcommit.com>
Date: Fri, 29 May 2026 10:38:20 -0700
Subject: [PATCH] docs: add org-level security policy

Add SECURITY.md pointing to the canonical vulnerability disclosure
policy at wolfssl.com. This gives every wolfSSL repo without its own
SECURITY.md a Security tab on GitHub.
---
 SECURITY.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..72ed662
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,21 @@
+# wolfSSL Security Policy
+
+## Reporting a Vulnerability
+
+Report security vulnerabilities to **security@wolfssl.com** or call **+1-425-245-8247**.
+
+Reports may be encrypted with our PGP key:
+
+    Fingerprint: A2A4 8E7B CB96 C5BE CB98 7314 EBC8 0E41 5CA2 9677
+    Key server: keys.openpgp.org
+
+## Full Policy
+
+Our coordinated vulnerability disclosure policy — including scope, threat-model
+boundaries, response commitments, and EU Cyber Resilience Act obligations — is
+published at:
+
+  https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt
+
+This policy covers wolfSSL, wolfCrypt, wolfBoot, wolfSSH, wolfMQTT, wolfTPM,
+wolfGuard, wolfCOSE, and other wolfSSL products.