From 826c103199e388c85546bd23a40f58ba20320388 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Thu, 5 Jan 2023 10:48:53 -0600
Subject: [PATCH] SECURITY.md: initial commit

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 CONTRIBUTING.md |  2 +-
 SECURITY.md     | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 SECURITY.md

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index b83e4d0..6eb44ab 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,7 +2,7 @@
 All non security bugs should be filed on the Issues tracker:
 https://github.com/tpm2-software/tpm2-totp/issues
 
-Security sensitive bugs should be emailed to a maintainers directly.
+Security sensitive bugs should follow the instructions in SECURITY.md.
 
 # Guideline for submitting changes:
 All changes to the source code must follow the coding standard used in the
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..a59e069
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,37 @@
+# Security Policy
+
+## Supported Versions
+
+Currently supported versions:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| any | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+### Reporting
+
+Security vulnerabilities can be disclosed in one of two ways:
+- GitHub: *preferred* By following [these](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) instructions.
+- Email: A descirption *should be emailed* to **all** members of the [MAINTAINERS](MAINTAINERS) file to coordinate the
+disclosure of the vulnerability.
+
+### Tracking
+
+When a maintainer is notified of a security vulnerability, they *must* create a GitHub security advisory
+per the instructions at:
+
+  - <https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories>
+
+Maintainers *should* use the optional feature through GitHub to request a CVE be issued, alternatively RedHat has provided CVE's
+in the past and *may* be used, but preference is on GitHub as the issuing CNA.
+
+### Publishing
+
+Once ready, maintainers should publish the security vulnerability as outlined in:
+
+  - <https://docs.github.com/en/code-security/repository-security-advisories/publishing-a-repository-security-advisory>
+
+As well as ensuring the publishing of the CVE, maintainers *shal*l have new release versions ready to publish at the same time as
+the CVE. Maintainers *should* should strive to adhere to a sub 60 say turn around from report to release.