Add CONTRIBUTING, SECURITY policies.

Author: trwyant

CONTRIBUTING

@@ -0,0 +1,27 @@
+I welcome bug reports, patches, and suggestions. My preferred way to
+recieve these is via the RT system at
+https://rt.cpan.org/Public/Dist/Display.html?Name=Win32API-File-Time,
+but I happily accept them either through GitHub at
+https://github.com/trwyant/perl-Win32API-File-Time,
+by electronic mail to WYANT AT cpan DOT org, or any other way that works
+for you, though I can not accept owls because I have no facilities to
+house them. Non-RT requests may be turned into RT tickets by me unless
+you specifically request otherwise. The bug report, patch, or suggestion
+(if acted on) will also be acknowledged in the Changes file unless you
+specifically request othewise.
+
+Requests for information probably do not need to be tickets in RT or
+GitHub, and my preferred route for these is by electronic mail, but
+again anything that works for you is probably fine with me.
+
+I try hard never to reject a bug report outright, though I may edit
+patches, believe that a different fix is more in line with my vision for
+the code, or even that the report is due to a misunderstanding and
+address it with a documentation change. Whatever I decide I will give
+you time to respond (typically a week or so), and whatever I actually do
+I will give you time to see if it meets your needs before I do a
+production release.
+
+GitHub pull requests should be made on a topic branch rather than the
+master branch. If you have something big in mind I would appreciate a
+heads-up in some form prior to the pull request.

MANIFEST

@@ -1,5 +1,6 @@
 Build.PL
 Changes
+CONTRIBUTING
 eg/README
 eg/touch.pl
 inc/mock/Win32/API.pm
@@ -15,6 +16,7 @@ MANIFEST
 META.json
 META.yml
 README
+SECURITY
 t/basic.t
 t/file.t
 xt/author/changes.t

SECURITY

@@ -0,0 +1,101 @@
+This is the Security Policy for the Perl Win32API-File-Time distribution.
+
+The latest version of the Security Policy can be found in the
+Git repository for Win32API-File-Time,
+https://github.com/perl-Win32API-File-Time.
+
+This text is based on the CPAN Security Group's Guidelines for Adding
+a Security Policy to Perl Distributions (version 0.2.2),
+https://security.metacpan.org/docs/guides/security-policy-for-authors.html
+
+How to Report a Security Vulnerability
+=== == ====== = ======== =============
+
+Security vulnerabilities can be reported by e-mail to the current
+project maintainer at WYANT AT cpan DOT org.
+
+Please include as many details as possible, including code samples
+or test cases, so that we can reproduce the issue.  Check that your
+report does not expose any sensitive data, such as passwords,
+tokens, or personal information.
+
+If you would like any help with triaging the issue, or if the issue
+is being actively exploited, please copy the report to the CPAN
+Security Group (CPANSec) at [email protected].
+
+Please DO NOT use the public issue reporting system on RT or
+GitHub issues for reporting security vulnerabilities.
+
+Please do not disclose the security vulnerability in public forums
+until past any proposed date for public disclosure, or it has been
+made public by the maintainers or CPANSec.  That includes patches or
+pull requests.
+
+For more information, see "Report a Security Issue",
+https://security.metacpan.org/docs/report.html on the CPANSec website.
+
+Response to Reports
+======== == =======
+
+The maintainer aims to acknowledge your security report as soon as
+possible.  However, this project is maintained by a single person in his
+spare time, and he cannot guarantee a rapid response.  If you have not
+received a response within a week, then please send a reminder and copy
+the report to CPANSec at [email protected].
+
+Please note that the initial response to your report will be an
+acknowledgement, with a possible query for more information.  It
+will not necessarily include any fixes for the issue.
+
+The project maintainer may forward this issue to the security
+contacts for other projects where he believe it is relevant.  This
+may include embedded libraries, system libraries, prerequisite
+modules or downstream software that uses this software.
+
+He may also forward this issue to CPANSec.
+
+Which Software this Policy Applies to
+===== ======== ==== ====== ======= ==
+
+Any security vulnerabilities in Win32API-File-Time are covered by this policy.
+
+Security vulnerabilities are considered anything that allows users
+to execute unauthorised code, access unauthorised resources, or to
+have an adverse impact on accessibility or performance of a system.
+
+Security vulnerabilities in upstream software (embedded libraries,
+prerequisite modules or system libraries, or in Perl), are not
+covered by this policy unless they affect Win32API-File-Time, or
+Win32API-File-Time can be used to exploit vulnerabilities in them.
+
+Security vulnerabilities in downstream software (any software that
+uses Win32API-File-Time, or plugins to it that are not included with the
+Win32API-File-Time distribution) are not covered by this policy.
+
+Supported Versions of Covered Software
+========= ======== == ======= ========
+
+The maintainer will only commit to releasing security fixes for
+the latest version of Win32API-File-Time.
+
+Note that the Win32API-File-Time project only supports production
+versions of Perl at of above the version indicated in the metadata. If a
+security fix requires me to increase the minimum version of Perl that is
+supported, then I may do so.
+
+Installation and Usage Issues
+============ === ===== ======
+
+The distribution metadata specifies minimum versions of
+prerequisites that are required for Win32API-File-Time to work.
+However, some of these prerequisites may have security vulnerabilities,
+and you should ensure that you are using up-to-date versions of these
+prerequisites.
+
+Where security vulnerabilities are known, the metadata may indicate
+newer versions as recommended.
+
+Usage
+=====
+
+Please see the software documentation for further information.