From 03234957abcdce8e99d30a9f7ed522f54c6f451c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 8 Sep 2025 16:23:31 +0200 Subject: [PATCH] feat: add security policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updated the instructions for reporting security issues to specify using GitHub’s Report a vulnerability form. --- SECURITY.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000..d2dd4c35ed4 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,24 @@ +# Security Policy + +## Reporting a Vulnerability + +Please report security issues **privately** using GitHub’s **Report a vulnerability** form on this repository (Security tab). + +**Do not** file public GitHub issues for security problems. + +When reporting, please include: +- Affected project/repo and version(s) +- Impact and component(s) involved +- Reproduction steps or PoC (if available) +- Your contact and preferred credit name + +If you do not receive an acknowledgement of your report within **6 business days**, or if you cannot find a private security contact for the project, you may **escalate to the OpenJS Foundation CNA** at `security@lists.openjsf.org`. + +If the project acknowledges your report but does not provide any further response or engagement within **14 days**, escalation is also appropriate. + +## Coordination & Disclosure + +We follow coordinated vulnerability disclosure: +- We will acknowledge your report, assess impact, and work on a fix. +- We aim to provide status updates at reasonable intervals until resolution. +- We will publish a security advisory (and **CVE via the OpenJS CNA when applicable**) once a fix or mitigation is available. We credit reporters by default unless you request otherwise.