docs: add SECURITY.md, security reporting process (#810)

* chore: add SECURITY.md, security reporting process Signed-off-by: Dorian Johnson <2020@dorianj.net> * security.md: link to the announcements mailing list Signed-off-by: Dorian Johnson <2020@dorianj.net> * README: add link to security reporting process Signed-off-by: Dorian Johnson <2020@dorianj.net>

docs: add SECURITY.md, security reporting process (#810)
* chore: add SECURITY.md, security reporting process Signed-off-by: Dorian Johnson <2020@dorianj.net> * security.md: link to the announcements mailing list Signed-off-by: Dorian Johnson <2020@dorianj.net> * README: add link to security reporting process Signed-off-by: Dorian Johnson <2020@dorianj.net>
32ad4de5 · Dorian Johnson · GitHub · a09cb618 · 32ad4de5 · 32ad4de5
Unverified Commit 32ad4de5 authored Nov 12, 2020 by Dorian Johnson Committed by GitHub Nov 12, 2020
Show whitespace changes
Inline Side-by-side

Showing with 15 additions and 1 deletion

README.md README.md +1 -1

SECURITY.md SECURITY.md +14 -0

No files found.
--- a/README.md
+++ b/README.md
@@ -87,7 +87,7 @@ Please note that the mock images only served as demonstration purpose.
 ## Get Involved in the Community

 Want help or want to help?
-Use the button in our [header](https://github.com/amundsen-io/amundsen#readme) to join our slack channel. Contributions are also more than welcome! As explained in [CONTRIBUTING.md](https://github.com/amundsen-io/amundsen/blob/master/CONTRIBUTING.md) there are many ways to contribute, it does not all have to be code with new features and bug fixes, also documentation, like FAQ entries, bug reports, blog posts sharing experiences etc. all help move Amundsen forward.
+Use the button in our [header](https://github.com/amundsen-io/amundsen#readme) to join our slack channel. Contributions are also more than welcome! As explained in [CONTRIBUTING.md](https://github.com/amundsen-io/amundsen/blob/master/CONTRIBUTING.md) there are many ways to contribute, it does not all have to be code with new features and bug fixes, also documentation, like FAQ entries, bug reports, blog posts sharing experiences etc. all help move Amundsen forward. If you find a security vulnerability, [please follow this guide](https://github.com/amundsen-io/amundsen/blob/master/SECURITY.md).

 ## Getting Started


--- a/SECURITY.md
+++ b/SECURITY.md
+# Security Policy
+
+## Reporting a Vulnerability
+If you think you have found a security vulnerability, please send a report to amundsen-security@lists.lfaidata.foundation. Please do not post security vulnerabilities on Slack.
+
+We don't currently have a PGP key, unfortunately.
+
+An Amundsen committer will send you a response indicating the next steps in handling your report. After the initial reply to your report, the committer will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+
+*Important:* Please don't disclose the vulnerability before it have been fixed and announced, to protect our users.
+
+## Security announcements
+
+Please subscribe to [the announcements mailing list](https://lists.lfai.foundation/g/amundsen-announce), where we post notifications and remediation details for security vulnerabilities.