koordinator-sh · koordinator-bot · Apr 16, 2024 · Apr 16, 2024
diff --git a/README-zh_CN.md b/README-zh_CN.md
@@ -78,3 +78,6 @@ Koordinator is licensed under the Apache License, Version 2.0. See [LICENSE](./L
 
 [![Star History Chart](https://api.star-history.com/svg?repos=koordinator-sh/koordinator&type=Date)](https://star-history.com/#koordinator-sh/koordinator&Date)
 -->
+
+## 安全
+对于发现的安全漏洞，请邮件发送至kubernetes-security@service.aliyun.com，您可在[SECURITY.md](./SECURITY.md)文件中找到更多信息。
diff --git a/README.md b/README.md
@@ -78,3 +78,6 @@ Koordinator is licensed under the Apache License, Version 2.0. See [LICENSE](./L
 
 [![Star History Chart](https://api.star-history.com/svg?repos=koordinator-sh/koordinator&type=Date)](https://star-history.com/#koordinator-sh/koordinator&Date)
 -->
+
+## Security
+Please report vulnerabilities by email to kubernetes-security@service.aliyun.com. Also see our [SECURITY.md](./SECURITY.md) file for details.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,22 @@
+# Security Policy
+
+- [Security Policy](#security-policy)
+  - [Reporting security problems](#reporting-security-problems)
+  - [Vulnerability Management Plans](#vulnerability-management-plans)
+    - [Critical Updates And Security Notices](#critical-updates-and-security-notices)
+
+## Reporting security problems
+
+**DO NOT CREATE AN ISSUE** to report a security problem. Instead, please
+send an email to kubernetes-security@service.aliyun.com
+
+Please follow the [embargo policy](./embargo-policy.md) for all security-related problems.
+
+## Vulnerability Management Plans
+
+### Critical Updates And Security Notices
+
+We learn about critical software updates and security threats from these sources
+
+1. GitHub Security Alerts
+2. [Dependabot](https://dependabot.com/) Dependency Updates
diff --git a/embargo-policy.md b/embargo-policy.md
@@ -0,0 +1,30 @@
+# Embargo Policy
+
+This policy forbids members of this project's security contacts any others
+defined below from sharing information outside of the security contacts and this
+listing without need-to-know and advance notice.
+
+The information members and others receive from the list defined below must:
+
+* not be made public,
+* not be shared,
+* not be hinted at
+* must be kept confidential and close held
+
+Except with the list's explicit approval. This holds true until the public
+disclosure date/time that was agreed upon by the list.
+
+If information is inadvertently shared beyond what is allowed by this policy,
+you are REQUIRED to inform the security contacts kubernetes-security@service.aliyun.com of exactly what
+information leaked and to whom. A retrospective will take place after the leak
+so we can assess how to not make this mistake in the future.
+
+Violation of this policy will result in the immediate removal and subsequent
+replacement of you from this list or the Security Contacts.
+
+## Disclosure Timeline
+
+This project sustains a **disclosure timeline** to ensure we provide a
+quality, tested release. On some occasions, we may need to extend this timeline
+due to complexity of the problem, lack of expertise available, or other reasons.
+Submitters will be notified if an extension occurs.