add security, update contributing and community

clewellyn-nava · clewellyn-nava · commit e9e010e9ba16 · 2025-09-09T15:13:56.000-04:00
diff --git a/COMMUNITY.md b/COMMUNITY.md
@@ -11,10 +11,6 @@ cms-bb2-python-sdk is supported by a dedicated team of individuals fulfilling va
 | Maintainer | Brandon Wang | ICF |
 | Maintainer | Connor Lewellyn | Nava PBC |
 
-See [CODEOWNERS.md](.github/CODEOWNERS.md) for a list of those responsible for the code and documentation in this repository.
-
-See [Community Guidelines](#cms-bb2-python-sdk-open-source-community-guidelines) on principles and guidelines for participating in this open source project.
-
 ## Roles & Responsibilities
 
 The members of cms-bb2-python-sdk community are responsible for guiding its development, ensuring quality standards, and fostering a collaborative environment. They play a vital role in making decisions about code contributions, handling releases, and ensuring the project meets its goals and objectives. Below is a list of the key members and their specific roles and responsibilities. We are eagerly seeking individuals who are interested in joining the community and helping shape and support these roles.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -115,7 +115,7 @@ We welcome improvements to the project documentation. This includes:
 - Developer tutorials
 - Code comments and inline documentation
 
-Please file an [issue](https://github.com/CMSGov/ms-bb2-node-sdk/issues) for documentation improvements or submit a pull request with your changes.
+Please file an [issue](https://github.com/CMSGov/cms-bb2-python-sdk/issues) for documentation improvements or submit a pull request with your changes.
 
 **Documentation Resources:**
 - Developer documentation: https://cmsgov.github.io/bluebutton-developer-help/
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,12 @@
+# Security and Responsible Disclosure Policy
+
+The Centers for Medicare & Medicaid Services is committed to ensuring the security of the American public by protecting their information from unwarranted disclosure. We want security researchers to feel comfortable reporting vulnerabilities they have discovered so we can fix them and keep our users safe. We developed our disclosure policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.
+
+*Submit a vulnerability:* Vulnerability reports can be submitted through [Bugcrowd](https://bugcrowd.com/cms-vdp). Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
+
+Review the HHS Disclosure Policy and websites in scope:
+[https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html).
+
+This policy describes *what systems and types of research* are covered under this
+policy, *how to send* us vulnerability reports, and *how long* we ask security
+researchers to wait before publicly disclosing vulnerabilities.
