From 4846587aee76e97d5a4574a9802af90bb84eb51e Mon Sep 17 00:00:00 2001
From: Avgustin Marinov <Avgustin.Marinov@bosch.com>
Date: Wed, 19 Nov 2025 11:38:36 +0200
Subject: [PATCH] Update SECURITY.md (#2822)

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
---
 .github/workflows/license-scan.yaml |  4 ++--
 SECURITY.md                         | 23 +++++++++++++++++------
 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/license-scan.yaml b/.github/workflows/license-scan.yaml
index 085aad096..a66332f29 100644
--- a/.github/workflows/license-scan.yaml
+++ b/.github/workflows/license-scan.yaml
@@ -4,8 +4,8 @@ on:
   # enable running the workflow manually
   workflow_dispatch:
   schedule:
-    # run every night at 2:00 AM (UTC)
-    - cron: '0 2 * * *'
+    # run every Monday at 2:00 AM (UTC), 429 when querying ClearlyDefined too frequently
+    - cron: '0 2 * * 1'
 
 permissions:
   contents: write
diff --git a/SECURITY.md b/SECURITY.md
index 16785b7f4..effdb6c55 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,7 +1,18 @@
-# Reporting a Security Vulnerability
+# Security Policy
 
-If you find a vulnerability, **DO NOT** disclose it in the public immediately! Instead, give us the possibility to fix
-it beforehand.
-So please don’t report your finding using GitHub issues and better head over
-to [https://eclipse.org/security](https://eclipse.org/security) and learn how to disclose a vulnerability in a safe and
-responsible manner
+Eclipse hawkBit follows the [Eclipse Foundation Security Policy](https://www.eclipse.org/security/policy.php). Vulnerabilities are tracked by the hawkBit project leads, in cooperation with the Eclipse security team. Fixing vulnerabilities is taken care of by the hawkBit project committers, with assistance and guidance of the security team.
+
+## Supported Versions
+
+Eclipse hawkBit provides security updates for the two most recent minor versions.  
+These versions of Eclipse hawkBit are currently being supported with security updates.
+
+| Version | Supported          |
+|---------| ------------------ |
+
+## Reporting a Vulnerability
+
+If you identify a potential vulnerability, **DO NOT** publicly disclose it immediately! Instead, give the Eclipse hawkBit team sufficient time to investigate and address the issue appropriately.
+So, please **DO NOT** report your finding using GitHub issues. Instead, please submit your report through [hawkBit GitHub Security](https://github.com/eclipse-hawkbit/hawkbit/security) using the `Report a vulnerability` feature. 
+
+_For further information regarding the responsible disclosure of security vulnerabilities within the Eclipse Foundation, please refer to  [Security at the Eclipse Foundation](https://eclipse.org/security)._