From 013d410bd8124a6792c0bc734bb1d4c218a1ccd0 Mon Sep 17 00:00:00 2001
From: Damien Elmes <gpg@ankiweb.net>
Date: Wed, 22 Sep 2021 22:55:19 +1000
Subject: [PATCH] add SECURITY.md

---
 SECURITY.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..b4aa4b959
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,27 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Anki does not currently have a bug bounty program, but if you have discovered a
+security issue, a private message on our support site would be greatly
+appreciated. No account is required to post a message:
+
+https://anki.tenderapp.com/discussion/new
+
+## FAQ
+
+### Javascript on Cards/Templates
+
+Anki allows users and shared deck authors to augment their card designs with
+Javascript. This is used frequently, so disabling Javascript by default would
+likely break a lot of the shared decks out there. That said, the default may be
+changed in the future.
+
+The computer version has a limited interface between Javascript and the parts of
+Anki outside of the webview, so arbitrary code execution outside of the webview
+should not be possible.
+
+AnkiWeb hosts its study and editing interface on a separate ankiuser.net domain,
+so that malicious Javascript on cards can not trigger endpoints hosted on the
+main site. If you've found that not to be the case, or found an instance of JS
+not being filtered on the main site, please let us know.