adopt SSWG security guidelines (#31)

Author: ktoso

README.md

@@ -9,7 +9,7 @@ a metrics backend for [swift-metrics](https://github.com/apple/swift-metrics) th
 * [graphite](https://graphiteapp.org)
 * many others
 
-## getting started
+## Getting started
 
 create an instance of the `StatsdClient` and boostrap the `MertricsSystem`  in your application's main:
 
@@ -27,7 +27,7 @@ statsdClient.shutdown()
 ```
 
 
-## architecture
+## Architecture
 
 the statsd client uses [swift-nio](https://github.com/apple/swift-nio) to establish a UDP connection to the statsd server
 
@@ -36,3 +36,8 @@ metrics types are mapped as follwoing:
 * Gauge -> Gauge
 * Recorder -> Histogram
 * Timer -> Timer
+
+
+ ## Security
+
+ Please see [SECURITY.md](SECURITY.md) for details on the security process.

SECURITY.md

@@ -0,0 +1,43 @@
+# Security
+
+ This document specifies the security process for the Swift Service Lifecycle project.
+
+ ## Disclosures
+
+ ### Private Disclosure Process
+
+ The Swift Service Lifecycle maintainers ask that known and suspected vulnerabilities be
+ privately and responsibly disclosed by emailing
+ [[email protected]](mailto:[email protected])
+ with the all the required detail.
+ **Do not file a public issue.**
+
+ #### When to report a vulnerability
+
+ * You think you have discovered a potential security vulnerability in Swift Service Lifecycle.
+ * You are unsure how a vulnerability affects Swift Service Lifecycle.
+
+ #### What happens next?
+
+ * A member of the team will acknowledge receipt of the report within 3
+   working days (United States). This may include a request for additional
+   information about reproducing the vulnerability.
+ * We will privately inform the Swift Server Work Group ([SSWG][sswg]) of the
+   vulnerability within 10 days of the report as per their [security
+   guidelines][sswg-security].
+ * Once we have identified a fix we may ask you to validate it. We aim to do this
+   within 30 days. In some cases this may not be possible, for example when the
+   vulnerability exists at the protocol level and the industry must coordinate on
+   the disclosure process.
+ * If a CVE number is required, one will be requested from [MITRE][mitre]
+   providing you with full credit for the discovery.
+ * We will decide on a planned release date and let you know when it is.
+ * Prior to release, we will inform major dependents that a security-related
+   patch is impending.
+ * Once the fix has been released we will publish a security advisory on GitHub
+   and in the Server → Security Updates category on the [Swift forums][swift-forums-sec].
+
+ [sswg]: https://github.com/swift-server/sswg
+ [sswg-security]: https://github.com/swift-server/sswg/blob/main/security/README.md
+ [swift-forums-sec]: https://forums.swift.org/c/server/security-updates/
+ [mitre]: https://cveform.mitre.org/