added security policy document

acatangiu · acatangiu · commit b50abb227f75 · 2020-04-27T11:00:09.000+03:00
Signed-off-by: Adrian Catangiu &lt;acatan@amazon.com&gt;
diff --git a/SECURITY-POLICY.md b/SECURITY-POLICY.md
@@ -0,0 +1,22 @@
+# Security Issue Policy
+
+If you uncover a security issue with versionize, please write to us on
+<firecracker-security-disclosures@amazon.com>.
+
+Once the Firecracker [maintainers](MAINTAINERS.md) become aware (or are made
+aware) of a security issue, they will immediately assess it. Based on impact
+and complexity, they will determine an embargo period (if externally reported,
+the period will be agreed upon with the external party).
+
+During the embargo period, maintainers will prioritize developing a fix over
+other activities. Within this period, maintainers may also notify a limited
+number of trusted parties via a pre-disclosure list, providing them with
+technical information, a risk assessment, and early access to a fix.
+
+The external customers are included in this group based on the scale of their
+versionize usage in production. The pre-disclosure list may also contain
+significant external security contributors that can join the effort to fix the
+issue during the embargo period.
+
+At the end of the embargo period, maintainers will publicly release information
+about the security issue together with the versionize patches that mitigate it.
