From 5cd2ddf5097e01d6ed9ee533d9c32cd212d031c3 Mon Sep 17 00:00:00 2001
From: GeiserX <9169332+GeiserX@users.noreply.github.com>
Date: Fri, 10 Apr 2026 19:49:12 +0200
Subject: [PATCH] chore: add SECURITY.md

---
 SECURITY.md | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..ccd1ec7
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,53 @@
+# Security Policy
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please use GitHub's private vulnerability reporting:
+
+1. Go to https://github.com/GeiserX/CashPilot-android/security/advisories
+2. Click "Report a vulnerability"
+3. Fill out the form with details
+
+We will respond within **48 hours** and work with you to understand and address the issue.
+
+### What to Include
+
+- Type of issue (e.g., data leakage, insecure storage, authentication bypass)
+- Full paths of affected source files
+- Step-by-step instructions to reproduce
+- Proof-of-concept or exploit code (if possible)
+- Impact assessment and potential attack scenarios
+
+### Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| Latest  | :white_check_mark: |
+
+Only the latest version receives security updates. We recommend always running the latest version.
+
+## Security Architecture
+
+### Data Protection
+
+- **Local-first** - All financial data stored on-device
+- **No cloud sync** - Data never leaves the device unless explicitly exported
+- **SQLite encryption** - Database protected at rest
+
+### API Security
+
+- **Dashboard communication** - Authenticated API calls to m4b-dashboard
+- **No telemetry** - No data collection or phone-home functionality
+
+## Security Best Practices for Users
+
+1. **Keep the app updated** - Run the latest version from GitHub Releases
+2. **Verify APK signatures** - Only install from official releases
+3. **Use device encryption** - Enable full-disk encryption on your Android device
+4. **Review permissions** - The app requests only necessary permissions
+
+## Contact
+
+For security questions that aren't vulnerabilities, contact: security@geiser.cloud