From e4000b0331c326edd401fa9731b82a8aa5aaa06f Mon Sep 17 00:00:00 2001
From: Sean McArthur <sean@seanmonstar.com>
Date: Fri, 23 May 2025 15:29:08 -0400
Subject: [PATCH] docs(SECURITY): update policy to use GSA drafts when
 reporting vulnerabilities

---
 SECURITY.md | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index b074a574b4..aa5ac773bf 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,9 +1,13 @@
 # Security Policy
 
-hyper (and related projects in hyperium) use the same security policy as the [Tokio project][tokio-security].
+hyper (and related projects in hyperium) take security seriously, and greatly appreciate responsibile disclosure.
 
 ## Report a security issue
 
-The process for reporting an issue is the same as the [Tokio project][tokio-security]. This includes private reporting via security@tokio.rs.
+To report a security issue in hyper, or another crate in the hyperium organization, please [report a new draft GitHub Security Advisory](https://github.com/hyperium/hyper/security/advisories/new).
 
-[tokio-security]: https://github.com/tokio-rs/tokio/security/policy
+We will discuss it privately with you. hyper maintainers will determine the impact and release details. Participation in security issue coordination is at the discretion of hyper maintainers.
+
+## Transparency
+
+We are committed to transparency in the security issue disclosure process. Advisories will be disclosed publicly once a patch is released, and if appropriate, added to the RustSec advisory database.