From b17e677bdffabac6092dafeef60b80224b7204b5 Mon Sep 17 00:00:00 2001
From: Daryl Maier <maier@ca.ibm.com>
Date: Thu, 4 Apr 2024 19:28:58 -0400
Subject: [PATCH] Create an Eclipse OMR security policy

Signed-off-by: Daryl Maier <maier@ca.ibm.com>
---
 SECURITY.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000000..c873754dadc
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+Eclipse OMR follows the [Eclipse Vulnerability Reporting Policy](https://www.eclipse.org/security/policy.php).  Vulnerabilities are tracked by the Eclipse OMR project leads, or by the Eclipse security team in cooperation with the OMR project leads.  Fixing vulnerabilities is the responsibility of OMR project committers.
+
+## Supported Versions
+
+Eclipse OMR only supports security updates in upcoming OMR releases.
+
+## Reporting a Vulnerability
+
+In case of suspected vulnerabilities, we recommend you do not use the public Eclipse OMR GitHub issue tracker.  Instead, contact an Eclipse OMR project lead via the [OMR Slack](https://eclipse-omr.slack.com) workspace and a private channel will be created for the discussion.  You can join the Eclipse OMR Slack workspace [here](https://join.slack.com/t/eclipse-omr/shared_invite/enQtMzg2ODIwODc4MTAyLWFiMzZkNmNhODc5OTM0MjgwZDdjNzg5YTg5NzM0ZmEzNTIyMGViMjk1YjYwNzczYjYwODc4YTM5MDk0NjIxMjg) if required.  The project leads will follow the Eclipse Foundation policy for reporting and resolving security vulnerabilities.
+
+| Project Lead | Slack Handle |
+| :--- | :--- |
+| Daryl Maier | @0xdaryl |
+| Mark Stoodley | @mstoodle |
+| Charlie Gracie | @charliegracie |
+
+Alternatively, you may contact the Eclipse Security Team via an email to security@eclipse.org.