Merge pull request #26 from contentauth/update-sec-guidance

Update security guidance

Author: crandmck

CONTRIBUTING.md

@@ -78,5 +78,5 @@ feel free to reach out to existing committers to have a conversation about that.
 
 ## Security issues
 
-Security issues shouldn't be reported on this issue tracker. Instead,
-[file an issue to our security experts](https://helpx.adobe.com/security/alertus.html).
+Do not create a public GitHub issue for any suspected security vulnerabilities. Instead, please file an issue through [Adobe's HackerOne page](https://hackerone.com/adobe?type=team). 
+For more information on reporting security issues, see [SECURITY.md](SECURITY.md).

SECURITY.md

@@ -0,0 +1,22 @@
+# Security
+
+This C2PA open-source library is maintained in partnership with Adobe. At this time, Adobe is taking point on accepting security reports through its HackerOne portal and public bug bounty program.
+
+## Reporting a vulnerability
+
+Please do not create a public GitHub issue for any suspected security vulnerabilities. Instead, please file an issue through [Adobe's HackerOne page](https://hackerone.com/adobe?type=team). If for some reason this is not possible, reach out to [email protected].
+
+
+## Vulnerability SLAs
+
+Once we receive an actionable vulnerability (meaning there is an available patch, or a code fix is required), we will acknowledge the vulnerability within 24 hours. Our target SLAs for resolution are:
+
+1. 72 hours for vulnerabilities with a CVSS score of 9.0-10.0
+2. 2 weeks for vulnerabilities with a CVSS score of 7.0-8.9
+
+Any vulnerability with a score below 6.9 will be resolved when possible.
+
+
+## C2PA Vulnerabilities
+
+This library is not meant to address any potential vulnerabilities within the C2PA specification itself. It is only an implementation of the spec as written. Any suspected vulnerabilities within the spec can be reported [here](https://github.com/c2pa-org/specifications/issues).