From 053e2b3113c228a35d26503490b2ce47e115685e Mon Sep 17 00:00:00 2001
From: agedd <105314544+agedd@users.noreply.github.com>
Date: Tue, 21 Apr 2026 11:34:16 -0500
Subject: [PATCH 1/2] docs: create SECURITY.md

---
 SECURITY.md | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..232504c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,66 @@
+# Security Policy
+
+This repository adheres to the [PayPal Vulnerability Reporting Policy](https://hackerone.com/paypal).
+
+## Reporting a Vulnerability
+
+If you think you have found a vulnerability in this repository, please report it to us through coordinated disclosure.
+
+**Please do not report security vulnerabilities through public issues, discussions, or pull requests.**
+
+Instead, report it using one of the following ways:
+
+* Email the PayPal Security Team at [security@paypal.com](mailto:security@paypal.com)
+* Submit through the [PayPal Bug Bounty Program](https://hackerone.com/paypal) on HackerOne
+* Report a [vulnerability](https://github.com/braintree/android-card-form/security/advisories/new) directly via private vulnerability reporting on GitHub
+
+Please include the following in your report:
+
+* The type of issue and affected version(s)
+* Step-by-step instructions to reproduce the issue
+* Impact of the issue and how an attacker might exploit it
+
+## Supported Versions
+
+### New Features
+
+New features are only added to the latest major release and will not be backported to older versions.
+
+### Bug Fixes
+
+Only the latest release series receives bug fixes. When enough bugs are fixed and a new release is warranted, it is cut from the main branch.
+
+### Security Issues
+
+Only the latest release series receives patches and new versions in the case of a security issue.
+
+### Severe Security Issues
+
+For severe security issues, we will provide new versions as above. Additionally, the last major release series may receive patches at our discretion. Severity classification is determined by the Braintree SDK team.
+
+### Unsupported Release Series
+
+When a release series is no longer supported, it is your responsibility to manage bugs and security issues. If you are not comfortable maintaining your own versions, we strongly recommend upgrading to a supported release.
+
+### Platform Support
+
+| Platform | Supported Versions      |
+| -------- | ----------------------- |
+| Android  | Latest 2 major versions |
+
+## Disclosure Policy
+
+We are committed to working with security researchers in good faith. To support responsible disclosure, our team will:
+
+- Acknowledge your report within **2 business days**
+- Provide a triage update within **5 business days**
+- Keep you informed of our progress toward a fix
+- Notify you before any public disclosure
+
+We ask that you:
+
+- Do not publicly disclose the issue before it has been resolved
+- Avoid accessing, modifying, or deleting data that does not belong to you
+- Make a good faith effort to avoid disruption to production systems
+
+We appreciate responsible disclosure and your efforts to keep Braintree SDK users safe.

From 7b3006da15200525aff27bfe67cb80d54ddf62f8 Mon Sep 17 00:00:00 2001
From: agedd <105314544+agedd@users.noreply.github.com>
Date: Wed, 22 Apr 2026 10:54:36 -0500
Subject: [PATCH 2/2] docs: update SECURITY.md

---
 SECURITY.md | 27 ++++++++-------------------
 1 file changed, 8 insertions(+), 19 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 232504c..a1cf753 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -20,40 +20,29 @@ Please include the following in your report:
 * Step-by-step instructions to reproduce the issue
 * Impact of the issue and how an attacker might exploit it
 
-## Supported Versions
-
-### New Features
-
-New features are only added to the latest major release and will not be backported to older versions.
-
-### Bug Fixes
-
-Only the latest release series receives bug fixes. When enough bugs are fixed and a new release is warranted, it is cut from the main branch.
+## Supported Security Updates
 
 ### Security Issues
 
-Only the latest release series receives patches and new versions in the case of a security issue.
+Only the latest release series receives patches and new versions in the case of a security issue. See our [deprecation policy](https://developer.paypal.com/braintree/docs/guides/client-sdk/deprecation-policy/android/v5/) for details.
 
 ### Severe Security Issues
 
 For severe security issues, we will provide new versions as above. Additionally, the last major release series may receive patches at our discretion. Severity classification is determined by the Braintree SDK team.
 
-### Unsupported Release Series
-
-When a release series is no longer supported, it is your responsibility to manage bugs and security issues. If you are not comfortable maintaining your own versions, we strongly recommend upgrading to a supported release.
-
 ### Platform Support
 
-| Platform | Supported Versions      |
-| -------- | ----------------------- |
-| Android  | Latest 2 major versions |
+| Platform | Supported Versions                                    |
+| -------- | ----------------------------------------------------- |
+| Android  | Most widely used versions at the time of SDK release  |
+
+For details on supported platform versions, see our [deprecation policy](https://developer.paypal.com/braintree/docs/guides/client-sdk/deprecation-policy/android/v5/).
 
 ## Disclosure Policy
 
 We are committed to working with security researchers in good faith. To support responsible disclosure, our team will:
 
-- Acknowledge your report within **2 business days**
-- Provide a triage update within **5 business days**
+- Acknowledge your report in a timely manner
 - Keep you informed of our progress toward a fix
 - Notify you before any public disclosure