Merge pull request #1144 from nschonni/patch-1

PeterDaveHello · web-flow · commit dafa92222f3b · 2019-11-19T00:05:19.000+08:00
chore: Add initial SECURITY.md
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,12 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Security issues relating to Node.js project should follow the process documented on <https://nodejs.org/en/security/>.
+
+CVEs for the base image packages should be reported to those repositories. Nothing to address those CVEs is in the hands of this repos.
+
+- [Alpine](https://github.com/alpinelinux/docker-alpine)
+- [Debian (buster, jessie, stretch)](https://github.com/debuerreotype/docker-debian-artifacts)
+
+When base images are patched, the images are rebuilt and rolled out to the Docker hub without intervention by this repo. This process is explained in <https://github.com/docker-library/faq/#why-does-my-security-scanner-show-that-an-image-has-cves>.
