added security policy document

acatangiu · acatangiu · commit e0cf601b2a33 · 2020-04-27T12:22:28.000+03:00
Signed-off-by: Adrian Catangiu &lt;acatan@amazon.com&gt;
diff --git a/SECURITY-POLICY.md b/SECURITY-POLICY.md
@@ -0,0 +1,23 @@
+# Security Issue Policy
+
+If you uncover a security issue with versionize_derive, please write to us on
+<firecracker-security-disclosures@amazon.com>.
+
+Once the Firecracker [maintainers](MAINTAINERS.md) become aware (or are made
+aware) of a security issue, they will immediately assess it. Based on impact
+and complexity, they will determine an embargo period (if externally reported,
+the period will be agreed upon with the external party).
+
+During the embargo period, maintainers will prioritize developing a fix over
+other activities. Within this period, maintainers may also notify a limited
+number of trusted parties via a pre-disclosure list, providing them with
+technical information, a risk assessment, and early access to a fix.
+
+The external customers are included in this group based on the scale of their
+versionize_derive usage in production. The pre-disclosure list may also contain
+significant external security contributors that can join the effort to fix the
+issue during the embargo period.
+
+At the end of the embargo period, maintainers will publicly release information
+about the security issue together with the versionize_derive patches that
+mitigate it.
