*: add information about security mailing list

cyphar · cyphar · commit ac422aa54537 · 2016-12-03T18:54:53.000+11:00
Signed-off-by: Aleksa Sarai &lt;asarai@suse.de&gt;
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -1,5 +1,12 @@
 ## Contribution Guidelines
 
+### Security issues
+
+If you are reporting a security issue, do not create an issue or file a pull
+request on GitHub. Instead, disclose the issue responsibly by sending an email
+to security@opencontainers.org (which is inhabited only by the maintainers of
+the various OCI projects).
+
 ### Pull requests are always welcome
 
 We are always thrilled to receive pull requests, and do our best to
diff --git a/README.md b/README.md
@@ -12,9 +12,14 @@ This means that `runc` 1.0.0 should implement the 1.0 version of the specificati
 
 You can find official releases of `runc` on the [release](https://github.com/opencontainers/runc/releases) page.
 
+### Security
+
+If you wish to report a security issue, please disclose the issue responsibly
+to security@opencontainers.org.
+
 ## Building
 
-`runc` currently supports the Linux platform with various architecture support. 
+`runc` currently supports the Linux platform with various architecture support.
 It must be built with Go version 1.6 or higher in order for some features to function properly.
 
 In order to enable seccomp support you will need to install `libseccomp` on your platform.
