From df9c75b0635e1906a32a185e1244188a58cdceb2 Mon Sep 17 00:00:00 2001
From: Paultagoras <41276418+Paultagoras@users.noreply.github.com>
Date: Fri, 29 Sep 2023 11:23:06 -0400
Subject: [PATCH 1/2] Add files via upload

---
 SECURITY.md | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..82b7254f8
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,57 @@
+<!--
+the file is autogenerated by utils/security-generator/generate_security.py
+-->
+
+# Security Policy
+
+## Security Announcements
+Security fixes will be announced by posting them in the [security changelog](https://clickhouse.com/docs/en/whats-new/security-changelog/).
+
+## Scope and Supported Versions
+
+The following versions of ClickHouse server are currently being supported with security updates:
+
+| Version | Supported |
+|:-|:-|
+| 23.9 | ✔️ |
+| 23.8 | ✔️ |
+| 23.7 | ✔️ |
+| 23.6 | ❌ |
+| 23.5 | ❌ |
+| 23.4 | ❌ |
+| 23.3 | ✔️ |
+| 23.2 | ❌ |
+| 23.1 | ❌ |
+| 22.* | ❌ |
+| 21.* | ❌ |
+| 20.* | ❌ |
+| 19.* | ❌ |
+| 18.* | ❌ |
+| 1.* | ❌ |
+
+## Reporting a Vulnerability
+
+We're extremely grateful for security researchers and users that report vulnerabilities to the ClickHouse Open Source Community. All reports are thoroughly investigated by developers.
+
+To report a potential vulnerability in ClickHouse please send the details about it to [security@clickhouse.com](mailto:security@clickhouse.com). We do not offer any financial rewards for reporting issues to us using this method. Alternatively, you can also submit your findings through our public bug bounty program hosted by [Bugcrowd](https://bugcrowd.com/clickhouse) and be rewarded for it as per the program scope and rules of engagement.
+
+### When Should I Report a Vulnerability?
+
+- You think you discovered a potential security vulnerability in ClickHouse
+- You are unsure how a vulnerability affects ClickHouse
+
+### When Should I NOT Report a Vulnerability?
+
+- You need help tuning ClickHouse components for security
+- You need help applying security related updates
+- Your issue is not security related
+
+## Security Vulnerability Response
+
+Each report is acknowledged and analyzed by ClickHouse maintainers within 5 working days.
+As the security issue moves from triage, to identified fix, to release planning we will keep the reporter updated.
+
+## Public Disclosure Timing
+
+A public disclosure date is negotiated by the ClickHouse maintainers and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to 90 days. For a vulnerability with a straightforward mitigation, we expect the report date to disclosure date to be on the order of 7 days.
+

From 8ae0b41e528d35ade5d6dad9336b757228e396e4 Mon Sep 17 00:00:00 2001
From: Paultagoras <41276418+Paultagoras@users.noreply.github.com>
Date: Fri, 29 Sep 2023 11:41:18 -0400
Subject: [PATCH 2/2] Update SECURITY.md

---
 SECURITY.md | 22 +++-------------------
 1 file changed, 3 insertions(+), 19 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 82b7254f8..c36d0acdf 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -9,25 +9,9 @@ Security fixes will be announced by posting them in the [security changelog](htt
 
 ## Scope and Supported Versions
 
-The following versions of ClickHouse server are currently being supported with security updates:
-
-| Version | Supported |
-|:-|:-|
-| 23.9 | ✔️ |
-| 23.8 | ✔️ |
-| 23.7 | ✔️ |
-| 23.6 | ❌ |
-| 23.5 | ❌ |
-| 23.4 | ❌ |
-| 23.3 | ✔️ |
-| 23.2 | ❌ |
-| 23.1 | ❌ |
-| 22.* | ❌ |
-| 21.* | ❌ |
-| 20.* | ❌ |
-| 19.* | ❌ |
-| 18.* | ❌ |
-| 1.* | ❌ |
+Generally the latest release contains the most recent security updates - we increment version numbers based on all changes, including security fixes. 
+
+Where applicable we might backport, but generally the latest is the most secure.
 
 ## Reporting a Vulnerability