docs: add security policy to repo root

Signed-off-by: Xander Grzywinski <xandergrzyw@gmail.com>
zarf-dev · May 9, 2024 · 4174e2b · 4174e2b
1 parent 898061d
commit 4174e2b
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,17 @@
+# Reporting Security Issues
+
+To report a security issue or vulnerability in Zarf, please use the confidential GitHub Security Advisory ["Report a Vulnerability"](https://github.com/defenseunicorns/zarf/security/advisories) tab. The Zarf team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+
+### When Should I Report a Vulnerability?
+
+* You found a vulnerability in the Zarf code.
+* You found a vulnerability in one of the Zarf dependencies that affects the project that has not been patched yet.
+
+### When Should I NOT Report a Vulnerability?
+
+* You found a bug or malfunction in the Zarf code (not security related).
+* You want to add a feature to Zarf.
+
+## Contacting Us
+
+To discuss security related issues, please email the maintainers at zarf-dev-private@googlegroups.com.