From dfddc3f40c97f98a7482e0e5fab9f32a4db7d527 Mon Sep 17 00:00:00 2001
From: Jamison Bryant <jamison@bryant.ai>
Date: Wed, 27 May 2026 21:53:59 -0400
Subject: [PATCH 1/2] Add security policy

---
 .github/SECURITY.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 .github/SECURITY.md

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 0000000..3ab7b68
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,30 @@
+# Security Policy
+
+## Supported Versions
+
+We support fixing security issues on the following releases:
+
+| Version | Supported          | Security fixes until
+| ------- | ------------------ | --------------------
+| 5.x     | :white_check_mark: | Currently supported
+| 4.x     | :white_check_mark: | The release of 6.x
+| 3.x     | :white_check_mark: | 36 Months after the release of CakePHP 5.0 (09 Sep 2026)
+| 2.x     | :x:                | No longer supported
+| <=1.0   | :x:                | No longer supported
+
+## Reporting a Vulnerability
+
+If you've found a security issue in the CakePHP ElasticSearch plugin, please use the following procedure
+instead of the normal bug reporting system. Instead of using the bug tracker,
+or one of the support forums please send an email to security [at] cakephp.org. Emails
+sent to this address go to the CakePHP core team on a private mailing list.
+
+For each report, we try to first confirm the vulnerability. Once confirmed,
+the CakePHP team will take the following actions:
+
+* Acknowledge to the reporter that we've received the issue, and are
+  working on a fix. We ask that the reporter keep the issue confidential until we announce it.
+* Get a fix/patch prepared.
+* Prepare a post describing the vulnerability, and the possible exploits.
+* Release new versions of all affected versions.
+* Prominently feature the problem in the release announcement

From e9e4c9eb26168ec675177bd9150e4c3c2e128c67 Mon Sep 17 00:00:00 2001
From: Jamison Bryant <jamison@bryant.ai>
Date: Thu, 28 May 2026 09:24:46 -0400
Subject: [PATCH 2/2] Reference wiki version map instead of concrete table

Avoids duplicating version support info that is already
maintained in the wiki, reducing maintenance burden.
---
 .github/SECURITY.md | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
index 3ab7b68..692aea0 100644
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -2,15 +2,9 @@
 
 ## Supported Versions
 
-We support fixing security issues on the following releases:
-
-| Version | Supported          | Security fixes until
-| ------- | ------------------ | --------------------
-| 5.x     | :white_check_mark: | Currently supported
-| 4.x     | :white_check_mark: | The release of 6.x
-| 3.x     | :white_check_mark: | 36 Months after the release of CakePHP 5.0 (09 Sep 2026)
-| 2.x     | :x:                | No longer supported
-| <=1.0   | :x:                | No longer supported
+Security fixes are applied to all active versions listed in the
+[version map](https://github.com/cakephp/elastic-search/wiki#cakephp-version-map).
+Versions marked as EOL no longer receive fixes.
 
 ## Reporting a Vulnerability