feat: Add SECURITY to show doc on reporting a security bug

LakshmiSaiHarika · LakshmiSaiHarika · commit ac4e9e4723bf · 2025-10-14T15:02:43.000-07:00
Signed-off-by: Harika Nittala &lt;lnittala@amd.com&gt;
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,22 @@
+# Security and Disclosure Information Policy for the sev-certify project
+
+ * [Reporting a Security bug](#Reporting-a-Security-bug)
+ * [Security bug Response](#Security-bug-Response)
+
+## Reporting a Security bug
+
+If you think you've identified a security issue in a sev-certify project,
+please DO NOT report the issue publicly via the Github issue tracker,
+mailing list, or IRC. Instead, send an email to our [project maintainers](CONTRIBUTING.md#project-maintainers).
+
+Please do **not** create a public issue.
+
+## Security bug Response
+
+Each report is acknowledged and analyzed by the core maintainers within 5 working days.
+
+Any vulnerability information shared with core maintainers stays within a sev-certify project
+and will not be disseminated to other projects unless it is necessary to get the issue fixed.
+
+As the security issue moves from triage, to an identified fix, to release planning, the core
+maintainers will keep the reporter updated.
