Bootstrap Security Policy

Author: tyranron

SECURITY.md

@@ -0,0 +1,40 @@
+Security Policy
+===============
+
+Security policy of [`cucumber-expressions`] crate.
+
+
+
+
+## Supported versions
+
+Before going `1.0`, the [`cucumber-expressions`] crate maintains only the most recent minor release.
+
+
+
+
+## Reporting a vulnerability
+
+Security is of the highest importance and all security vulnerabilities or suspected security vulnerabilities should be reported to this project privately, to minimize attacks against current users of [`cucumber-expressions`] crate before they are fixed. Vulnerabilities will be investigated and patched on the next patch (or minor) release as soon as possible. This information could be kept entirely internal to the project.
+
+
+### Private disclosure process
+
+> **WARNING:** Do not file public issues on GitHub for security vulnerabilities.
+
+To report a vulnerability or a security-related issue, please use [GitHub private vulnerability reporting][11] on the [Security Advisories page][1] and fill the vulnerability details. It will be addressed within a week, including a detailed plan to investigate the issue and any potential workarounds to perform in the meantime. Do not report non-security-impacting bugs through this channel, use [GitHub issues][2] instead.
+
+
+### Public disclosure process
+
+Project maintainers publish a [public advisory][1] to the community [via GitHub][12].
+
+
+
+
+[`cucumber-expressions`]: https://docs.rs/cucumber-expressions
+
+[1]: /../../security/advisories
+[2]: /../../issues
+[11]: https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability
+[12]: https://docs.github.com/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory#about-publishing-a-security-advisory