Add a SECURITY.md file

tgonzalezorlandoarm · tgonzalezorlandoarm · commit 86a0dc765901 · 2024-03-13T17:09:31.000Z
Includes the security policy of the project, with disclosure and
vulnerability reporting measures.

Signed-off-by: Tomás González &lt;tomasagustin.gonzalezorlando@arm.com&gt;
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,26 @@
+# Security policy
+
+Security is of paramount importance to the tss-esapi project. We do all we can to identify and fix
+issues, however some problems might slip through the cracks. Any efforts towards responsible
+disclosure of security problems are greatly appreciated and your contributions will be acknowledged.
+
+## Our disclosure policy
+
+All security vulnerabilities affecting the tss-esapi project - including those reported using the
+steps highlighted below, those discovered during routine testing, and those found in our dependency
+tree either through `cargo-audit` or otherwise - will receive
+[security advisories](https://github.com/parallaxsecond/rust-tss-esapi/security) in a timely
+manner. The advisories should include sufficient information about the cause, effect, and possible
+mitigations for the vulnerability. If any information is missing, or you would like to raise a
+question about the advisories, please open an issue in
+[our repo](https://github.com/parallaxsecond/rust-tss-esapi).
+
+Efforts to mitigate for the reported vulnerabilities will be tracked using GitHub issues linked to
+the corresponding advisories.
+
+## Reporting a vulnerability
+
+To report a vulnerability, please send an email to
+[cncf-parsec-maintainers@lists.cncf.io](mailto:cncf-parsec-maintainers@lists.cncf.io). We will
+promptly reply to your report and we will strive to keep you in the loop as we try to reach a
+resolution.
