From 6c79d1035b5db9e0511c30824d21aaedc270cd61 Mon Sep 17 00:00:00 2001
From: Robert Lillack <rob@lillack.net>
Date: Tue, 12 Jul 2022 17:45:52 +0200
Subject: [PATCH] Add simple contribution guidelines. #38 (#39)

* Add contribution guidelines. #38

* Flip contriburing/license.
---
 README.md   |  8 ++++++++
 SECURITY.md | 29 +++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/README.md b/README.md
index 19800f8..4a50856 100644
--- a/README.md
+++ b/README.md
@@ -94,6 +94,14 @@ therefor will not be added to tack.
 - Liquid template support
 - More configuration options
 
+#### Contributing
+
+To report bugs, or to propose new features, please see [the tack bug tracker](https://github.com/roblillack/tack/issues).
+
+If you'd like to contribute, feel free to create a pull request to implement new features or bug-fixes. Ensure that all code has a proper unit test and is written in idiomatic Go.
+
+Regarding security concerns, please see the separate [Security Policy](./SECURITY.md)
+
 #### License
 
 [MIT/X11](https://github.com/roblillack/tack/blob/master/LICENSE).
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..557839f
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+## What is regarded a security defect?
+
+With tack being a static site generator, naturally the attack surface is very
+low: A static site generator is usually not run in any kind of production
+environment.
+
+Still, we want to ensure that users of the tool can trust it to not break their
+CI or development systems and we therefore regard the following types of defects
+a security issue:
+
+- Writing to the filesystem outside of `SITE/output`
+- Serving data which does not belong to the generated website when running `tack serve`
+
+## Supported Versions
+
+We'll only support the latest major version of tack with security updates. Currently this means:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.2.x   | :white_check_mark: |
+| 1.1.x   | :x:                |
+| 1.0.x   | :x:                |
+| < 1.0   | :x:                |
+
+## Reporting a Vulnerability
+
+Feel free to report security defects using [our bug tracker](https://github.com/roblillack/tack/issues). If you'd rather report a security issue privately, you can do so by sending email to [@roblillack](https://github.com/roblillack): To get to my email address, just add the at sign between my given and family name and finish it of by adding .net!