added security policy document

Signed-off-by: Adrian Catangiu <acatan@amazon.com>
firecracker-microvm · Apr 27, 2020 · b50abb2 · b50abb2
1 parent c15a88c
commit b50abb2
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/SECURITY-POLICY.md b/SECURITY-POLICY.md
@@ -0,0 +1,22 @@
+# Security Issue Policy
+
+If you uncover a security issue with versionize, please write to us on
+<firecracker-security-disclosures@amazon.com>.
+
+Once the Firecracker [maintainers](MAINTAINERS.md) become aware (or are made
+aware) of a security issue, they will immediately assess it. Based on impact
+and complexity, they will determine an embargo period (if externally reported,
+the period will be agreed upon with the external party).
+
+During the embargo period, maintainers will prioritize developing a fix over
+other activities. Within this period, maintainers may also notify a limited
+number of trusted parties via a pre-disclosure list, providing them with
+technical information, a risk assessment, and early access to a fix.
+
+The external customers are included in this group based on the scale of their
+versionize usage in production. The pre-disclosure list may also contain
+significant external security contributors that can join the effort to fix the
+issue during the embargo period.
+
+At the end of the embargo period, maintainers will publicly release information
+about the security issue together with the versionize patches that mitigate it.