Merge #600

bors[bot] · jonasbb · web-flow · commit fd3fd8c9e621 · 2023-06-05T20:02:41.000Z
600: Add SECURITY.md r=jonasbb a=jonasbb

bors r+

Co-authored-by: Jonas Bushart &lt;jonas@bushart.org&gt;
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -22,7 +22,8 @@ Make sure to include the three major parts of information:
 2. Explain what the expected result and/or expected serialized data is.
 3. If possible prepare a minimal running example.
 
-Security vulnerabilities should be reported like normal bugs in the issue tracker.
+Security vulnerabilities should be reported privately as [security advisory](https://github.com/jonasbb/serde_with/security).
+Check [./SECURITY.md] for details.
 
 ## Submitting a PR
 
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,6 @@
+# Security Policy
+
+Please report found vulnerabilities privately at <https://github.com/jonasbb/serde_with/security>.
+[GitHub provides details](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) for submitting vulnerabilities using their system and has advice about [writing a good advisory](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/best-practices-for-writing-repository-security-advisories).
+
+Provide as much information as possible while reporting, ideally including a proof-of-concept exploit.
