Add SECURITY.md file (eiffel-community#15)

t-persson · web-flow · commit 0445f3f23ec2 · 2022-02-11T08:51:07.000+01:00
* Add SECURITY.md file

Adding the SECURITY.md file from the community repository to this one.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,20 @@
+# Eiffel-community Vulnerability and Security Reporting and Response
+
+## Report a Vulnerability or Security Issue
+We as a community encourage researchers, users and contributors to report vulnerabilities and security related issues to the Eiffel community. All issues are thoroughly investigated by a community security officer and/or other community security volunteers. All reported and fixed security and vulnerability issues can be found on the [Eiffel community security page](https://eiffel-community.github.io/security.html) .
+
+## How to Report a Security Vulnerability
+To file a vulnerability report please send and e-mail to the private eiffel-community-security@googlegroups.com  list. The e-mail should list the security specific details as well as the [standard bug report information](https://github.com/eiffel-community/.github/blob/master/.github/ISSUE_TEMPLATE/general.md). Only the community security officers will have access to e-mails sent on the security and vulnerability list. This process is the same whether the report stems from a project within the Eiffel community or from an external contributor. 
+
+Triage and handling of the vulnerability report will be conducted within one week. If the vulnerability severity and impact is high a patch will be published with urgency.
+
+## When Should I Report a Vulnerability?
+* You think you discovered a potential security vulnerability in an eiffel-community service, application or repository
+* You are unsure how a vulnerability affects the eiffel-community service or application.
+* You think you discovered a vulnerability in another project that a eiffel-community service or application depends on.
+
+## Security Vulnerability Response
+As mentioned, each report is acknowledged and analyzed by a eiffel-community security officer within one week. If the vulnerability is reproduced and verified a response will be sent to the reporter. As the issue progresses from triage, to fix, test and release the reporter will be updated.
+
+## Public Disclosure
+The eiffel-community humbly asks all vulnerability reporters to hold off on public disclosure and instead negotiate a time frame within which the vulnerability report will be processed, fixed and released by the eiffel-community. Once released it will be listed on the [Eiffel community security page](https://eiffel-community.github.io/security.html) .
