Documentation update for issue #1

README.md

@@ -697,3 +697,11 @@ The exported Go API of this module should currently be considered unstable, and
 ## License
 
 This project is licensed under the terms of the MIT open source license. Please refer to [MIT](./LICENSE) for the full terms.
+
+## Security and Versioning
+
+For supported versions, security policies, and disclosure process, see [SECURITY.md](./SECURITY.md). The minimum Go version and critical dependency versions are tracked in go.mod; see SECURITY.md for guidance and example commands to verify versions locally. The published container image is ghcr.io/github/github-mcp-server; for production use, pin image tags or digests.
+
+### Model Providers
+
+This server does not call any model providers. It exposes GitHub tools over MCP to a host which may use models independently (e.g., VS Code Copilot Chat, Claude Desktop). See [SECURITY.md](./SECURITY.md) for details.

SECURITY.md

@@ -29,3 +29,33 @@ This information will help us triage your report more quickly.
 ## Policy
 
 See [GitHub's Safe Harbor Policy](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor#1-safe-harbor-terms)
+
+## Supported Versions and Update Policy
+
+- Unless otherwise stated in a repository’s README or SECURITY.md, GitHub maintains security fixes on a best-effort basis for the latest published release and any current container image tags. Older releases may not receive patches.
+- Where applicable, supported distribution formats and architectures are documented in the repository (for example, downloadable binaries, source archives, or container images on GitHub Container Registry). In production, pin to a specific version tag or image digest.
+
+## Security-Relevant Versions
+
+For each GitHub-owned repository, consult the repository for authoritative version information:
+- Toolchain and minimum versions: check language/tool manifests (for example, go.mod for Go, package.json for JavaScript, pyproject.toml for Python).
+- Dependency versions: review the repository’s dependency manifest and any third-party license or SBOM files (for example, THIRD_PARTY_NOTICES or third-party-licenses.*).
+- Container images (if published): use the repository’s Releases page or container registry page for available tags; in CI/production, prefer pinning by immutable digests.
+
+Examples (adjust to the repository’s language/tooling):
+- List the declared Go version: `grep '^go ' go.mod`
+- List pinned Go modules: `go list -m -mod=mod all | sort`
+- Inspect a container image: `docker pull <registry>/<image>:<tag>` and `docker inspect <registry>/<image>:<tag>`
+
+## Model Providers Used by This Project
+
+Unless explicitly documented in the repository, GitHub-owned open source projects do not embed or directly call proprietary AI/LLM model providers. Any AI/model usage typically occurs in downstream tools or hosts that integrate with the project and is outside the scope of the repository itself. If a project integrates with a model provider, the repository will document the provider(s), configuration, and data flow.
+
+## Keeping This Document Up To Date
+
+For maintainers, when cutting a new release:
+- Review and update any Supported Versions statements in the repository.
+- Confirm minimum toolchain versions from the project’s manifest.
+- Review major versions of security-relevant dependencies.
+- Verify published container image tags/digests (if applicable).
+- Ensure links in this document remain valid.