Create SECURITY.md

If we're public we need to state a security policy. Don't forget to also actually enable the security center in the GitHub repository settings.
trifectatechfoundation · Dec 11, 2024 · 8058c06 · 8058c06
1 parent fe98e6a
commit 8058c06
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,31 @@
+Security policy
+===============
+
+**Do not report security vulnerabilities through public GitHub issues.**
+Instead, you can report security vulnerabilities using [our security page].
+
+Please include as much of the following information as possible:
+
+ * Type of issue (e.g. buffer overflow, privilege escalation, etc.)
+ * The location of the affected source code (tag/branch/commit or direct URL)
+ * Any special configuration required to reproduce the issue
+ * If applicable, which platforms are affected
+ * Step-by-step instructions to reproduce the issue
+ * Impact of the issue, including how an attacker might exploit the issue
+
+## Preferred Languages
+
+We prefer to receive reports in English. If necessary, we also understand Dutch and Frisian.
+
+## Disclosure Policy
+
+We adhere to the principle of [coordinated vulnerability disclosure].
+
+Security Advisories
+===================
+Security advisories will be published on our [github advisories page] and
+possibly through other channels.
+
+[our security page]: https://github.com/trifectatechfoundation/libbzip2-rs/security
+[coordinated vulnerability disclosure]: https://vuls.cert.org/confluence/display/CVD/Executive+Summary
+[github advisories page]: https://github.com/trifectatechfoundation/libbzip2-rs/security/advisories