From 1ac53089951095c5fa0e0c5194b3b3a6c08b74df Mon Sep 17 00:00:00 2001
From: Peter Sabaini <peter.sabaini@canonical.com>
Date: Fri, 2 May 2025 21:30:41 +0200
Subject: [PATCH] feat: add instructions for filing security reports

Signed-off-by: Peter Sabaini <peter.sabaini@canonical.com>
---
 .github/workflows/cla-check.yaml | 2 +-
 SECURITY.md                      | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 SECURITY.md

diff --git a/.github/workflows/cla-check.yaml b/.github/workflows/cla-check.yaml
index 9e5702ea..7c49da6e 100644
--- a/.github/workflows/cla-check.yaml
+++ b/.github/workflows/cla-check.yaml
@@ -3,7 +3,7 @@ on: [pull_request]
 
 jobs:
   cla-check:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Check if CLA signed
         uses: canonical/has-signed-canonical-cla@v2
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..237fae77
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,9 @@
+To report a security issue, file a [Private Security
+Report](https://github.com/canonical/ceph-containers/security/advisories) with
+a description of the issue, the steps you took to create the issue, affected
+versions, and, if known, mitigations for the issue.
+
+The [Ubuntu Security disclosure and embargo
+policy](https://ubuntu.com/security/disclosure-policy) contains more
+information about what you can expect when you contact us and what we expect
+from you.