Standard short SECURITY.md for OSS projects: how to report a vulnerability privately (email or GitHub Security Advisory), what's in scope (engine + runtime/docker), what's out of scope (Docker daemon itself, the host system, user-supplied compose / Dockerfiles).
Should reference the project's expected response time and whether GitHub Security Advisories are accepted.
Standard short SECURITY.md for OSS projects: how to report a vulnerability privately (email or GitHub Security Advisory), what's in scope (engine + runtime/docker), what's out of scope (Docker daemon itself, the host system, user-supplied compose / Dockerfiles).
Should reference the project's expected response time and whether GitHub Security Advisories are accepted.