Add SECURITY policy

gdt-dev · Jul 26, 2023 · b1632f6 · b1632f6
1 parent a89a8df
commit b1632f6
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security Policy
+
+We take security vulnerabilities seriously (and so should you!)
+
+Our policy on reported vulnerabilities (see below on how to report) is that we will
+respond to the reporter of a vulnerability within two (2) business days of receiving
+the report and notify the reporter whether and when a remediation will be committed.
+
+When a remediation for a security vulnerability is committed, we will cut a tagged
+release of `gdt` and include in the release notes for that tagged release a description
+of the vulnerability and a discussion of how it was remediated, along with a note
+urging users to update to that fixed version.
+
+## Reporting a Vulnerability
+
+While `gdt` does have automated Github Dependabot alerts about security vulnerabilities
+in `gdt`'s dependencies, there is always a chance that a vulnerability in a dependency
+goes undetected by Dependabot. If you are aware of a vulnerability either in `gdt` or
+one of its dependencies, please do not hesitate to reach out to `gdt` maintainers via
+email or Slack. **Do not discuss vulnerabilities in a public forum**.
+
+`gdt`'s primary maintainer is Jay Pipes, who can be found on the Kubernetes Slack
+community as `@jaypipes` and reached via email at jaypipes at gmail dot com.