From 6558c271dd9d901306aa05e5f8c2b9b472a0909b Mon Sep 17 00:00:00 2001
From: Arseny Kapoulkine <arseny.kapoulkine@gmail.com>
Date: Mon, 15 Nov 2021 12:04:26 -0800
Subject: [PATCH] Create SECURITY.md

Fixes #197.
---
 SECURITY.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..3fc9f66d
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,14 @@
+# Security Guarantees
+
+Luau provides a safe sandbox that scripts can not escape from, short of vulnerabilities in custom C functions exposed by the host. This includes the virtual machine and builtin libraries.
+
+Any source code can not result in memory safety errors or crashes during its compilation or execution. Violations of memory safety are considered vulnerabilities.
+
+Note that Luau does not provide termination guarantees - some code may exhaust CPU or RAM resources on the system during compilation or execution.
+
+The runtime expects valid bytecode as an input. Feeding bytecode that was not produced by Luau compiler into the VM is not supported and
+doesn't come with any security guarantees; make sure to sign the bytecode when it crosses a network or file system boundary to avoid tampering.
+
+# Reporting a Vulnerability
+
+You can report security bugs via [Hackerone](https://hackerone.com/roblox). Please refer to the linked page for rules of the bounty program.