From da2aa34e3eef5fc6e9a86af6a59779e64a924f23 Mon Sep 17 00:00:00 2001
From: Nicholas Tindle <nicholas.tindle@agpt.co>
Date: Thu, 6 Mar 2025 09:59:07 -0600
Subject: [PATCH] docs(security): Update disclosure timeline (#9581)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!-- Clearly explain the need for these changes: -->
Update the security.md based on some advice we got :)

### Changes 🏗️
- Adds an update time window and clarifies time spans
<!-- Concisely describe all of the changes made in this pull request:
-->
---
 SECURITY.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/SECURITY.md b/SECURITY.md
index 1bacc8ef83..45705d7106 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -20,6 +20,7 @@ Instead, please report them via:
 - Please provide detailed reports with reproducible steps
 - Include the version/commit hash where you discovered the vulnerability
 - Allow us a 90-day security fix window before any public disclosure
+- After patch is released, allow 30 days for users to update before public disclosure (for a total of 120 days max between update time and fix time)
 - Share any potential mitigations or workarounds if known
 
 ## Supported Versions