From 5ac2cc54918c480bd40ec3f05c9ce93a2d7afa99 Mon Sep 17 00:00:00 2001
From: Ian Lewis <ianlewis@google.com>
Date: Sun, 6 Oct 2019 21:06:53 -0700
Subject: [PATCH] Add SECURITY.md.

Adds minimal security policy info to SECURITY.md. This allows Github to
advertise the security policy doc for the repo.

See: https://github.blog/changelog/2019-05-23-security-policy/
See: https://help.github.com/en/articles/adding-a-security-policy-to-your-repository
PiperOrigin-RevId: 273214306
---
 README.md   |  7 ++-----
 SECURITY.md | 11 +++++++++++
 2 files changed, 13 insertions(+), 5 deletions(-)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index 7ab76d305..5ac6f9046 100644
--- a/README.md
+++ b/README.md
@@ -133,11 +133,9 @@ The [gvisor-users mailing list][gvisor-users-list] and
 [gvisor-dev mailing list][gvisor-dev-list] are good starting points for
 questions and discussion.
 
-## Security
+## Security Policy
 
-Sensitive security-related questions, comments and disclosures can be sent to
-the [gvisor-security mailing list][gvisor-security-list]. The full security
-disclosure policy is defined in the [community][community] repository.
+See [SECURITY.md](SECURITY.md).
 
 ## Contributing
 
@@ -147,7 +145,6 @@ See [Contributing.md](CONTRIBUTING.md).
 [community]: https://gvisor.googlesource.com/community
 [docker]: https://www.docker.com
 [git]: https://git-scm.com
-[gvisor-security-list]: https://groups.google.com/forum/#!forum/gvisor-security
 [gvisor-users-list]: https://groups.google.com/forum/#!forum/gvisor-users
 [gvisor-dev-list]: https://groups.google.com/forum/#!forum/gvisor-dev
 [oci]: https://www.opencontainers.org
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..154d68cb3
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,11 @@
+# Security and Vulnerability Reporting
+
+Sensitive security-related questions, comments, and reports should be sent to
+the [gvisor-security mailing list][gvisor-security-list]. You should receive a
+prompt response, typically within 48 hours.
+
+Policies for security list access, vulnerability embargo, and vulnerability
+disclosure are outlined in the [community][community] repository.
+
+[community]: https://gvisor.googlesource.com/community
+[gvisor-security-list]: https://groups.google.com/forum/#!forum/gvisor-security