confidential-containers · dcmiddle · Jan 2, 2024 · Dec 15, 2023 · Dec 15, 2023
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,13 @@
+Please do not use public github issues to report security vulnerabilities.
+To report a security vulnerability please follow the security policy found in the security tab of
+any of our github repositories.
+
+## Expected Behavior
+
+## Actual Behavior
+
+## Steps to reproduce
+
+## Found in CoCo Version
+
+
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,33 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please do not use public issues to report security vulnerabilities.
+
+To report a vulnerability please select the security tab of the repo and
+click `Report a vulnerability`. 
+This will create a private github issue that CoCo maintainers
+and security champions will be able to see.
+
+The CoCo community aspires to follow the security best practices defined by OpenSSF,
+including responding to vulnerability reports within 14 days.
+
+
+## Supported Versions
+
+Please note that the CoCo community analyzes security issues only in the the most recent release.
+
+CoCo has not released any long term supported versions yet.
+
+Patches will not be backported to earlier versions.
+
+Patches will be released as point versions of the current version, e.g. releasing 0.8.1 to correct
+v0.8, or will be patched in the next release, e.g. v0.9.
+
+
+## Security Bulletins
+
+CoCo announces security issues and their fixes in the release notes of the patching version.
+For example, a vulnerability discovered in v0.8 and fixed in v0.8.1 will be announced in the
+release notes for v0.8.1.
+