[Docs] Add SECURITY.md

The paragraph "The Gramine team will send a response..." is based on https://github.com/electron/electron/blob/28-x-y/SECURITY.md. Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
suisui-koubou · Nov 27, 2023 · e053030 · e053030
1 parent 85d296c
commit e053030
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 5 deletions.
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -3,7 +3,3 @@ contact_links:
   - name: 💬 I need help with Gramine usage
     url: https://github.com/gramineproject/gramine/discussions/categories/general
     about: Open a discussion thread
-  - name: 🔒 Report a security vulnerability
-    # GitHub doesn't seem to accept `mailto:` URLs here :/
-    url: https://gramine.readthedocs.io/en/latest/devel/contributing.html#reporting-security-vulnerabilities
-    about: Write an email to [email protected]
diff --git a/README.rst b/README.rst
@@ -90,4 +90,5 @@ If you prefer emails, please send them to [email protected]
 Reporting security issues
 =========================
 
-Please report security issues to [email protected].
+Please report security issues to [email protected]. See also our
+`security policy <SECURITY.md>`__.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,16 @@
+# Reporting Security Issues
+
+Please report security issues to [email protected].
+
+Please note that the Gramine team analyzes security bugs only on the current
+`master` branch. This implies that you must reproduce the bug on master before
+reporting.
+
+The Gramine team will send a response indicating the next steps in handling your
+report. After the initial reply to your report, the security team will keep you
+informed of the progress towards a fix and full announcement, and may ask for
+additional information or guidance.
+
+If the bug report is correct, we will acknowledge your contributions by
+specifying your name in the commit message. Please provide the preferred
+name/nick to put there.