Hello maintainers,

While reviewing OWASP project repositories, I noticed that the OWASP Top 10 repository currently does not include a SECURITY.md file or a documented security policy for reporting vulnerabilities related to the repository itself (e.g., CI/CD workflows, repository configuration, or infrastructure-related issues).

Several other OWASP projects already maintain a security policy to guide responsible disclosure and reduce the risk of accidental public reporting.

For reference, I recently worked on a similar security-hardening effort in another OWASP project, where a security-related improvement was accepted via PR:

Related PR: [https://github.com/OWASP/www-project-vulnerable-web-applications-directory/pull/180]

Introducing a SECURITY.md here could help:
Provide a clear disclosure path for repository or workflow vulnerabilities
Align OWASP Top 10 with GitHub security best practices
Improve consistency across OWASP-managed projects
I’d be happy to open a PR with a minimal, OWASP-aligned SECURITY.md if this is something the maintainers agree would be useful.

Thank you for your time and for maintaining this important project.
Best regards,
Savio D’souza