Add security info for structured headers. (#11)

Lukasa · web-flow · commit 92e9a35d70d7 · 2021-07-06T16:33:01.000+01:00
diff --git a/README.md b/README.md
@@ -106,3 +106,7 @@ let serialized = serializer.writeListFieldValue(parsed)
 Notice the substantially more verbose types involved in this operation. These types are highly generic, giving the opportunity for parsing and serializing that greatly reduces the runtime overhead. They also make it easier to distinguish between tokens and strings, and to observe the order of objects in dictionaries or parameters, which can be lost at the Codable level.
 
 In general, users should consider this API only when they are confident they need either the flexibility or the performance. This may be valuable for header fields that do not evolve often, or that are highly dynamic.
+
+## Security
+
+swift-http-structured-headers has a security policy outlined in [SECURITY.md](SECURITY.md).
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,44 @@
+# Security
+
+This document specifies the security process for the Swift HTTP Structured Headers project.
+
+## Disclosures
+
+### Private Disclosure Process
+
+The maintainers ask that known and suspected vulnerabilities be
+privately and responsibly disclosed by emailing
+[sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org)
+with the all the required detail.
+**Do not file a public issue.**
+
+#### When to report a vulnerability
+
+* You think you have discovered a potential security vulnerability in
+  Swift HTTP Structured Headers.
+* You are unsure how a vulnerability affects Swift HTTP Structured Headers.
+
+#### What happens next?
+
+* A member of the team will acknowledge receipt of the report within 3
+  working days (United States). This may include a request for additional
+  information about reproducing the vulnerability.
+* We will privately inform the Swift Server Work Group ([SSWG][sswg]) of the
+  vulnerability within 10 days of the report as per their [security
+  guidelines][sswg-security].
+* Once we have identified a fix we may ask you to validate it. We aim to do this
+  within 30 days. In some cases this may not be possible, for example when the
+  vulnerability exists at the protocol level and the industry must coordinate on
+  the disclosure process.
+* If a CVE number is required, one will be requested from [MITRE][mitre]
+  providing you with full credit for the discovery.
+* We will decide on a planned release date and let you know when it is.
+* Prior to release, we will inform major dependents that a security-related
+  patch is impending.
+* Once the fix has been released we will publish a security advisory on GitHub
+  and in the Server → Security Updates category on the [Swift forums][swift-forums-sec].
+
+[sswg]: https://github.com/swift-server/sswg
+[sswg-security]: https://github.com/swift-server/sswg/blob/main/security/README.md
+[swift-forums-sec]: https://forums.swift.org/c/server/security-updates/
+[mitre]: https://cveform.mitre.org/
