Add security policy

Signed-off-by: Dan Middleton <[email protected]>
confidential-containers · Jan 2, 2024 · 3277542 · 3277542
1 parent c8d8218
commit 3277542
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,33 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please do not use public issues to report security vulnerabilities.
+
+To report a vulnerability please select the security tab of the repo and
+click `Report a vulnerability`. 
+This will create a private github issue that CoCo maintainers
+and security champions will be able to see.
+
+The CoCo community aspires to follow the security best practices defined by OpenSSF,
+including responding to vulnerability reports within 14 days.
+
+
+## Supported Versions
+
+Please note that the CoCo community analyzes security issues only in the the most recent release.
+
+CoCo has not released any long term supported versions yet.
+
+Patches will not be backported to earlier versions.
+
+Patches will be released as point versions of the current version, e.g. releasing 0.8.1 to correct
+v0.8, or will be patched in the next release, e.g. v0.9.
+
+
+## Security Bulletins
+
+CoCo announces security issues and their fixes in the release notes of the patching version.
+For example, a vulnerability discovered in v0.8 and fixed in v0.8.1 will be announced in the
+release notes for v0.8.1.
+