From d4236ab77f038260ff9ae1fece9bb2f48673d734 Mon Sep 17 00:00:00 2001
From: John Bley <jbley@splunk.com>
Date: Fri, 31 Jan 2025 14:09:39 -0500
Subject: [PATCH] More repository improvements (#597)

* Add CODEOWNERS file for github

* Add SECURITY.md
---
 .github/CODEOWNERS |  9 +++++++++
 SECURITY.md        | 25 +++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 SECURITY.md

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 00000000..820212aa
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,9 @@
+*       @signalfx/gdi-python-maintainers @signalfx/gdi-python-approvers
+
+#####################################################
+#
+# Docs reviewers
+#
+#####################################################
+
+*.md @signalfx/gdi-docs @signalfx/gdi-python-maintainers @signalfx/gdi-python-approvers
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..54e34f19
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,25 @@
+# Security
+
+## Reporting Security Issues
+
+Please *DO NOT* report security vulnerabilities with public GitHub issue
+reports. Please [report security issues here](
+https://www.splunk.com/en_us/product-security/report.html).
+
+## Dependencies
+
+This project relies on a variety of external dependencies.
+These dependencies are monitored by
+[Dependabot](https://docs.github.com/en/code-security/supply-chain-security/configuring-dependabot-security-updates).
+Dependencies are [checked
+daily](https://github.com/signalfx/splunk-otel-python/blob/main/.github/dependabot.yml)
+and associated pull requests are opened automatically. Upgrading to the [latest
+release](https://github.com/signalfx/splunk-otel-python/releases)
+is recommended to ensure you have the latest security updates. If a security
+vulnerability is detected for a dependency of this project then either:
+
+- You are running an older release
+- A new release with the updates has not been cut yet
+- The updated dependency has not been merged likely due to some breaking change
+  (in this case, we will actively work to resolve the issue)
+- The dependency has not released an updated version with the patch