Update security.md

security.md

@@ -1,10 +1,16 @@
-# Introduction
+# Security Policy
 
-# Reporting Vulnerabilities
+## Supported Versions
+
+Only new releases of this project will contain security updates. All clients should use the latest version of this project in their dependencies. There is no process in place to backport security fixes to previous releases. If you require a backport, please [create an issue](../../issues/new/choose) containing an explanation of why the latest version cannot be used.
+
+## Reporting Vulnerabilities
 
 Please report all potential security vulnerabilities using the [Report a vulnerability](../../security/advisories/new) button in the [Security](../../security) section of this repository. 
 
-# Local Filesystem
+# Developer Notes
+
+## Local Filesystem
 
 The main use of the local file system for the core library (other than the validator - see below) is for the 
 [NPM package cache](https://confluence.hl7.org/display/FHIR/FHIR+Package+Cache). The default location and content
@@ -29,7 +35,7 @@ Validator: The validator CLI also accesses local files as specified in the comma
 and runs in the user context. TODO: we are considering whether to support a command line parameter 
 restricting path access to particular directories.
 
-# Network access
+## Network access
 
 The library will access the web to download needed collateral, or to access terminology resources or servers.
 All access is by http(s) using the httpok library, and is controlled by the class ManagedWebAccess. You can 
@@ -46,15 +52,15 @@ of the use of these libraries is ongoing.
 Validator: The validator CLI accesses the web to download packages and make use of the
 terminology server, which defaults to https://tx.fhir.org.
 
-# Logging 
+## Logging 
 
 todo
 
-# Terminology Server Access
+## Terminology Server Access
 
 todo
 
-# Cryptography 
+## Cryptography 
 
 Other than the https client, the library doesn't have any crypto functions in it.