[docs] Add security policy (#20)

patrick-ogrady · web-flow · commit c3d206a61f47 · 2025-03-11T18:16:19.000-07:00
* add security policy

* add SECURITY

* fix link
diff --git a/README.md b/README.md
@@ -6,6 +6,8 @@
 
 ## Components
 
+_Components are designed for deployment in adversarial environments. If you find an exploit, please refer to our [security policy](./SECURITY.md) before disclosing it publicly (an exploit may equip a malicious party to attack users of a primitive)._
+
 * [chain](./chain/README.md): A minimal blockchain built with the [Commonware Library](https://github.com/commonwarexyz/monorepo).
 * [client](./client/README.md): Client for interacting with `alto`.
 * [explorer](./explorer/README.md): Visualize `alto` activity.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,7 @@
+# Reporting Security Issues
+
+We welcome security disclosures and are committed to providing prompt attention to any confirmed security issues.
+
+Vulnerabilities should be reported privately [via GitHub Security](https://github.com/commonwarexyz/monorepo/security) instead of as a public issue.
+
+We do not yet offer a bounty program for responsible disclosure of security vulnerabilities, however, we do track contributions and record them in the [Commonware Library](https://github.com/commonwarexyz/monorepo/blob/main/SECURITY.md).
