From 72ce287375807581e2933be9be6981380c372072 Mon Sep 17 00:00:00 2001
From: Avinash Thakur <iamavinashthakur.at@gmail.com>
Date: Wed, 4 Feb 2026 02:59:07 +0530
Subject: [PATCH] chore: update security policy

---
 README.md   |  5 +++++
 SECURITY.md | 20 +++++++++++++++++++-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5f01cf7..dc5bf36 100644
--- a/README.md
+++ b/README.md
@@ -402,6 +402,11 @@ npm run browser-test
 
 - Visit [http://localhost:8082/test/](http://localhost:8082/test/).
 
+
+## Security
+
+Please see [SECURITY.md](./SECURITY.md) for important security considerations and instructions on how to report vulnerabilities.
+
 ## License
 
 [MIT License](https://opensource.org/license/mit/).
diff --git a/SECURITY.md b/SECURITY.md
index 4308f92..01f09f6 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,10 +1,28 @@
 # Security Policy
 
+## Security Considerations
+
+### Query Injection
+
+JSONPath-Plus evaluates JSONPath expressions provided by the caller. While the default `"eval": "safe"` option prevents arbitrary code execution, it **cannot prevent data exposure if the JSONPath query itself is compromised**.
+
+If untrusted input is incorporated into a JSONPath expression, an attacker may be able to alter the query structure by adding additional patterns. This can change how the remaining query is interpreted and may result in **unexpected or broader data being returned** than intended.
+
+**Important notes:**
+- This does **not** enable random code execution when using `"eval": "safe"` (the default).
+- The primary risk is **data leakage**, not execution of attacker-controlled code.
+
+**Mitigations:**
+1. **Do not interpolate unsanitized user input into JSONPath queries.**
+2. If user-controlled input must be included in a query, ensure the target JSON object contains **only non-confidential data**.
+
+As a general rule, treat JSONPath expressions as code and avoid constructing them dynamically from untrusted sources.
+
 ## Reporting a Vulnerability
 
 **Please do not report security vulnerabilities through public GitHub issues.**
 
-If you believe you’ve found a security vulnerability, please send it to us by emailing [brettz9@yahoo.com](mailto:brettz9@yahoo.com). Please include the following details with your report:
+If you believe you’ve found a security vulnerability, please send it to us by emailing [iamavinashthakur.at@gmail.com](mailto:iamavinashthakur.at@gmail.com) or [brettz9@yahoo.com](mailto:brettz9@yahoo.com). Please include the following details with your report:
 
 1. Description of the location and potential impact of the vulnerability