From 3a04973747f8ab298ad9120667340e0f7d4e202a Mon Sep 17 00:00:00 2001
From: ZQlQZ <zql030124@gmail.com>
Date: Wed, 22 Apr 2026 14:22:07 +0800
Subject: [PATCH] update readme & add security.md

---
 README.md   |  5 +++++
 SECURITY.md | 13 +++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index 6e52eb7d..4facc50e 100644
--- a/README.md
+++ b/README.md
@@ -102,6 +102,11 @@ Before commit or push your changes, please make sure the unittests are passed ,o
 pytest -n 16
 ```
 
+## Security and privacy
+
+This project takes security seriously.
+For vulnerability reporting and supported versions, see [SECURITY.md](SECURITY.md)
+
 ## Contact with us
 
 Join our discussion group by scanning the QR code below:
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..8e7c923a
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,13 @@
+## Security and privacy
+
+If you discover potential security issues in the project, or believe you may have found a security issue, please notify the ByteDance security team through our [security center](https://security.bytedance.com/src/) or [vulnerability reporting email](mailto:src@bytedance.com). Please do not create public GitHub Issues.
+
+We will assess the vulnerability based on the Common Vulnerability Scoring System (CVSS 3.1). The security team will keep you updated on key progress and may request further information or guidance from you. You are welcome to contact us via the email or website mentioned above to ask questions or discuss disclosure matters.
+
+To protect the security of our customers, ByteDance requests that you do not publish or share information regarding the vulnerability in any public forum, nor publish or share data involving users, until the vulnerability has been remediated and our users have been notified. Please understand that the time required for remediation depends on the severity of the vulnerability and the scope of the impact.
+
+Individuals, companies, and security teams may wish to publish security advisories on their own websites or other forums. Please contact us via the email or website mentioned above prior to publication to discuss the information that can be disclosed and to coordinate the disclosure timeline.
+
+## Bug Bounty Reward
+
+[For the policy of bug bounty reward](https://bytedance.larkoffice.com/docx/ZstQd7bbooDctqxBCAmcFasOngd), if you have any questions about the rules, please contact [https://src.bytedance.com/home](https://src.bytedance.com/home) for consultation.