From 6d02f2a78c9d39c5aae430638cd9112571c3a26c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 15 Sep 2025 12:20:13 +0200 Subject: [PATCH] docs: add a security policy --- SECURITY.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..d2dd4c35ed --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,24 @@ +# Security Policy + +## Reporting a Vulnerability + +Please report security issues **privately** using GitHub’s **Report a vulnerability** form on this repository (Security tab). + +**Do not** file public GitHub issues for security problems. + +When reporting, please include: +- Affected project/repo and version(s) +- Impact and component(s) involved +- Reproduction steps or PoC (if available) +- Your contact and preferred credit name + +If you do not receive an acknowledgement of your report within **6 business days**, or if you cannot find a private security contact for the project, you may **escalate to the OpenJS Foundation CNA** at `security@lists.openjsf.org`. + +If the project acknowledges your report but does not provide any further response or engagement within **14 days**, escalation is also appropriate. + +## Coordination & Disclosure + +We follow coordinated vulnerability disclosure: +- We will acknowledge your report, assess impact, and work on a fix. +- We aim to provide status updates at reasonable intervals until resolution. +- We will publish a security advisory (and **CVE via the OpenJS CNA when applicable**) once a fix or mitigation is available. We credit reporters by default unless you request otherwise.