From f5ac44e3a9a149b693e55ef25fdee3984cfb607b Mon Sep 17 00:00:00 2001
From: Florian Greinacher <florian@greinacher.de>
Date: Mon, 21 Aug 2023 10:34:25 +0200
Subject: [PATCH 1/7] feat: add a default security policy

---
 SECURITY.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..65032ed
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,13 @@
+# Security Policy
+
+Siemens takes the security of its code seriously. If you think you have found a security vulnerability,
+please read the next sections and follow the instructions to report your finding.
+
+## Reporting a Vulnerability
+
+Please DO NOT report any potential security vulnerability via a public channel (mailing list, GitHub issue etc.).
+Instead, [report the vulnerability privately via GitHub](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)
+(if enabled for the repository) or [contact us via email](mailto:opensource@siemens.com).
+
+Please provide a detailed description of the issue, the steps to reproduce it, the affected versions and, if already available,
+a proposal for a fix. You should receive a response within 5 working days.

From 04991da7f55fd4ddd43c217a99e45e0da540952b Mon Sep 17 00:00:00 2001
From: Florian Greinacher <florian@greinacher.de>
Date: Mon, 21 Aug 2023 10:36:27 +0200
Subject: [PATCH 2/7] docs: mention security policy in readme

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 9df2cd5..21755ca 100644
--- a/README.md
+++ b/README.md
@@ -4,3 +4,4 @@ This repository contains files related to many or all repositories withing the `
 
 - the [Siemens Contributor License Agreement](cla/) and related automation
 - the [Siemens organization profile](profile/)
+- a [default security policy](SECURITY.md) for repositories that don't have their own

From f4c8f6798975789cbe6a49c928cc416ce83051ac Mon Sep 17 00:00:00 2001
From: Florian Greinacher <florian@greinacher.de>
Date: Mon, 11 Sep 2023 13:25:41 +0200
Subject: [PATCH 3/7] feat: describe scope of policy

---
 SECURITY.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 65032ed..42a4b3a 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -3,6 +3,15 @@
 Siemens takes the security of its code seriously. If you think you have found a security vulnerability,
 please read the next sections and follow the instructions to report your finding.
 
+## Scope of this policy
+
+This is the default security policy for all repositories within the `siemens` organzation on GitHub.com.
+
+It does not apply for reposities that have their own security policy.
+It also does not apply for forks where you should follow the upstream policy instead.
+
+If you are unsure whether the policy applies feel free to reach out via the channels mentioned below and we'll be happy to help.
+
 ## Reporting a Vulnerability
 
 Please DO NOT report any potential security vulnerability via a public channel (mailing list, GitHub issue etc.).

From 43c1c72fceaebe995713c521bb05f25a979c942e Mon Sep 17 00:00:00 2001
From: Florian Greinacher <florian@greinacher.de>
Date: Wed, 13 Sep 2023 09:40:54 +0200
Subject: [PATCH 4/7] docs(security): mention coordinated vulnerability
 disclosure

---
 SECURITY.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index 42a4b3a..cc119b4 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -19,4 +19,6 @@ Instead, [report the vulnerability privately via GitHub](https://docs.github.com
 (if enabled for the repository) or [contact us via email](mailto:opensource@siemens.com).
 
 Please provide a detailed description of the issue, the steps to reproduce it, the affected versions and, if already available,
-a proposal for a fix. You should receive a response within 5 working days.
+a proposal for a fix. You should receive a response within 5 working days. If for some reason you do not, please follow up via email to ensure we received your original message.
+
+If the issue is confirmed as a vulnerability by us, we will publish an advisory on (e.g. on GitHub) and give credits for your report if desired. We follow the coordinated vulnerability disclosure model and kindly ask you to help us define the appropriate disclosure timeline.

From 250682b2f336ed63baad8bae4860487ad80be090 Mon Sep 17 00:00:00 2001
From: Florian Greinacher <florian@greinacher.de>
Date: Wed, 13 Sep 2023 17:31:17 +0200
Subject: [PATCH 5/7] style: rephrase disclosure paragraph a bit

---
 SECURITY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index cc119b4..8d644e6 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -21,4 +21,4 @@ Instead, [report the vulnerability privately via GitHub](https://docs.github.com
 Please provide a detailed description of the issue, the steps to reproduce it, the affected versions and, if already available,
 a proposal for a fix. You should receive a response within 5 working days. If for some reason you do not, please follow up via email to ensure we received your original message.
 
-If the issue is confirmed as a vulnerability by us, we will publish an advisory on (e.g. on GitHub) and give credits for your report if desired. We follow the coordinated vulnerability disclosure model and kindly ask you to help us define the appropriate disclosure timeline.
+If the issue is confirmed as a vulnerability by us, we will publish an advisory (e.g. on GitHub) and give credits for your report if desired. We follow the coordinated vulnerability disclosure model and will define an appropriate disclosure timeline together with you.

From 28328dc330fe7db4e4de6ce766ad73f71ed81ac3 Mon Sep 17 00:00:00 2001
From: Florian Greinacher <florian@greinacher.de>
Date: Wed, 20 Sep 2023 12:28:27 +0200
Subject: [PATCH 6/7] style: add link to CVD

Co-authored-by: Nejc Habjan <nejc.habjan@siemens.com>
---
 SECURITY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index 8d644e6..4fcf6d6 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -21,4 +21,4 @@ Instead, [report the vulnerability privately via GitHub](https://docs.github.com
 Please provide a detailed description of the issue, the steps to reproduce it, the affected versions and, if already available,
 a proposal for a fix. You should receive a response within 5 working days. If for some reason you do not, please follow up via email to ensure we received your original message.
 
-If the issue is confirmed as a vulnerability by us, we will publish an advisory (e.g. on GitHub) and give credits for your report if desired. We follow the coordinated vulnerability disclosure model and will define an appropriate disclosure timeline together with you.
+If we confirm the issue as a vulnerability, we will publish an advisory (e.g. on GitHub) and give credits for your report if desired. We follow the [coordinated vulnerability disclosure](https://vuls.cert.org/confluence/display/CVD) model and will define an appropriate disclosure timeline together with you.

From 48d12e627ab01e8a0c0dd2fcd4ed98497a7a3a0c Mon Sep 17 00:00:00 2001
From: Florian Greinacher <florian@greinacher.de>
Date: Thu, 21 Sep 2023 10:00:01 +0200
Subject: [PATCH 7/7] chore: apply review suggestions

---
 SECURITY.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 4fcf6d6..4e82fb2 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -5,7 +5,7 @@ please read the next sections and follow the instructions to report your finding
 
 ## Scope of this policy
 
-This is the default security policy for all repositories within the `siemens` organzation on GitHub.com.
+This is the default security policy for all repositories within the `siemens` organization on GitHub.com.
 
 It does not apply for reposities that have their own security policy.
 It also does not apply for forks where you should follow the upstream policy instead.
@@ -14,11 +14,11 @@ If you are unsure whether the policy applies feel free to reach out via the chan
 
 ## Reporting a Vulnerability
 
-Please DO NOT report any potential security vulnerability via a public channel (mailing list, GitHub issue etc.).
+Please DO NOT report any potential security vulnerability via a public channel (mailing list, GitHub issue, etc.).
 Instead, [report the vulnerability privately via GitHub](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)
 (if enabled for the repository) or [contact us via email](mailto:opensource@siemens.com).
 
-Please provide a detailed description of the issue, the steps to reproduce it, the affected versions and, if already available,
+Please provide a detailed description of the issue, the steps to reproduce it, the affected version(s) and, if already available,
 a proposal for a fix. You should receive a response within 5 working days. If for some reason you do not, please follow up via email to ensure we received your original message.
 
 If we confirm the issue as a vulnerability, we will publish an advisory (e.g. on GitHub) and give credits for your report if desired. We follow the [coordinated vulnerability disclosure](https://vuls.cert.org/confluence/display/CVD) model and will define an appropriate disclosure timeline together with you.