Merge pull request #3798 from SwiftPackageIndex/security-policy

Added a basic SECURITY.md

Author: finestructure

SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the Swift Package Index project.
+
+## Reporting Security Issues with the Project
+
+We take all security bugs in the Swift Package Index project seriously. We appreciate your responsible disclosure efforts and, where appropriate, will acknowledge your contributions.
+
+Please report security bugs via the “[Security](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server/security)” tab in the [Server GitHub repository](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server) or directly via the “[Report a Vulnerability](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server/security/advisories/new)” form. This will open a private conversation with the Swift Package Index project maintainers.
+
+Once we resolve a security issue, we will publish a security advisory on the GitHub repository’s “Security” tab, where appropriate.
+
+## Reporting Security Issues in Packages in the Index
+
+If you find a security issue **in a package indexed by the Swift Package Index package**, please report it directly to the package maintainer.
+
+If you believe a package has malicious intent or critical security issues that the maintainer doesn’t address promptly, report it via the “[Security](https://github.com/SwiftPackageIndex/PackageList/security)” tab in the [PackageList GitHub repository](https://github.com/SwiftPackageIndex/PackageList) or directly via the “[Report a Vulnerability](https://github.com/SwiftPackageIndex/PackageList/security)” form. This will open a private conversation with the Swift Package Index project maintainers.
+
+## Comments on this Policy
+
+Please [open a discussion](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server/discussions/new/choose) if you have suggestions to improve this process.