Adopt SSWG Security Guidelines (#52)

MrLotU · web-flow · commit 9d37dccb81b6 · 2021-06-29T16:16:00.000+02:00
diff --git a/README.md b/README.md
@@ -138,6 +138,10 @@ app.get("metrics") { req -> EventLoopFuture<String> in
 }
 ```
 
+## Security
+
+Please see [SECURITY.md](SECURITY.md) for details on the security process.
+
 # Contributing
 
 All contributions are most welcome!
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,43 @@
+# Security
+
+This document specifies the security process for the SwiftPrometheus project.
+
+## Disclosures
+
+### Private Disclosure Process
+
+The SwiftPrometheus maintainers ask that known and suspected vulnerabilities be
+privately and responsibly disclosed by emailing
+[j.koopman@jarict.nl](mailto:j.koopman@jarict.nl)
+with the all the required detail.
+**Do not file a public issue.**
+
+#### When to report a vulnerability
+
+* You think you have discovered a potential security vulnerability in SwiftPrometheus.
+* You are unsure how a vulnerability affects SwiftPrometheus.
+
+#### What happens next?
+
+* A member of the team will acknowledge receipt of the report within 3
+  working days (United States). This may include a request for additional
+  information about reproducing the vulnerability.
+* We will privately inform the Swift Server Work Group ([SSWG][sswg]) of the
+  vulnerability within 10 days of the report as per their [security
+  guidelines][sswg-security].
+* Once we have identified a fix we may ask you to validate it. We aim to do this
+  within 30 days. In some cases this may not be possible, for example when the
+  vulnerability exists at the protocol level and the industry must coordinate on
+  the disclosure process.
+* If a CVE number is required, one will be requested from [MITRE][mitre]
+  providing you with full credit for the discovery.
+* We will decide on a planned release date and let you know when it is.
+* Prior to release, we will inform major dependents that a security-related
+  patch is impending.
+* Once the fix has been released we will publish a security advisory on GitHub
+  and in the Server → Security Updates category on the [Swift forums][swift-forums-sec].
+
+[sswg]: https://github.com/swift-server/sswg
+[sswg-security]: https://github.com/swift-server/sswg/blob/main/security/README.md
+[swift-forums-sec]: https://forums.swift.org/c/server/security-updates/
+[mitre]: https://cveform.mitre.org/

Original file line number	Diff line number	Diff line change
`@@ -138,6 +138,10 @@ app.get("metrics") { req -> EventLoopFuture<String> in`
`138`	`138`	`}`
`139`	`139`	```
`140`	`140`
	`141`	`+## Security`
	`142`	`+`
	`143`	`+Please see [SECURITY.md](SECURITY.md) for details on the security process.`
	`144`	`+`
`141`	`145`	`# Contributing`
`142`	`146`
`143`	`147`	`All contributions are most welcome!`