docs: SECURITY.md ( Fixes #12 )

James Brundage · James Brundage · commit 3b4ccefc95e3 · 2024-11-27T00:03:25.000-08:00
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,20 @@
+# Security
+
+We take security seriously.  If you believe you have discovered a vulnerability, please [file an issue](https://github.com/PowerShellWeb/WebSocket/issues).
+
+## Special Security Considerations
+
+WebSockets are not inherantly dangerous, but what comes out of them might well be.
+
+In order to avoid data poisoning attacks, please _never_ directly run any code from the internet that you do not trust.
+
+Please also assume all WebSockets are untrustworthy.
+
+There are a few easy ways to do this.
+
+WebSocket responses should never:
+
+1. Be piped into `Invoke-Expression`
+2. Be expanded with `.ExpandString`
+3. Be directly placed into a `SQL` query
+
