Adds SECURITY.md file with instructions (#5181)

* Adds SECURITY.md file with instructions * Removes trailing whitespace on SECURITY.md * Updates README with link to full security policy * Updates CONTRIBUTING with link to full security policy * Update CHANGELOG with security policy
decidim · Jun 14, 2019 · 1aecfaa · 1aecfaa
1 parent 5a48bae
commit 1aecfaa
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,11 +5,13 @@
 
 **Added**:
 
+- **decidim-core**: Adds SECURITY.md per Github recommendations [#5181](https://github.com/decidim/decidim/pull/5181)
 - **decidim-core**, **decidim-system**: Add force users to authenticate before access to the organization [#5189](https://github.com/decidim/decidim/pull/5189)
 - **decidim-proposals**: Add new fields to proposal_serializer [#5186](https://github.com/decidim/decidim/pull/5186)
 - **decidim-proposals**: Add :amend action to proposal's authorization workflow [#5184](https://github.com/decidim/decidim/pull/5184)
 - **decidim-core**, **decidim-proposals**: Add: Improvements in amendments on `Proposals` control version [#5185](https://github.com/decidim/decidim/pull/5185)
 
+
 **Changed**:
 
 

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -6,11 +6,7 @@ If you haven't already, come find us in [Gitter](https://gitter.im/decidim/decid
 
 ## Did you find a bug?
 
-* **Do not open up a GitHub issue if the bug is a security vulnerability in Decidim**, and instead send us an email to security [at] decidim.org. We recommend to use GPG for these kind of communications, the fingerprint is C1BD 8981 D83C 23F9 D419 FE42 149A D0F9 84B9 35C4. To download our key:
-
-```bash
-gpg --keyserver pgp.key-server.io --recv 84B935C4
-```
+* **Do not open up a GitHub issue if the bug is a security vulnerability in Decidim**, and instead send us an email to security [at] decidim.org. See [full security policy](SECURITY.md).
 
 * **Ensure the bug was not already reported** by searching on GitHub under [Issues](https://github.com/decidim/decidim/issues) and on [Metadecidim](https://meta.decidim.org/processes/bug-report/f/210/proposals).
 

diff --git a/README.md b/README.md
@@ -168,4 +168,4 @@ Since Decidim is a ruby gem, you can check out the [dependent repositories](http
 
 ## Security 
 
-Security is very important to us. If you have any issue regarding security, please disclose the information responsibly by sending an email to security [at] decidim [dot] org and not by creating a github/metadecidim issue. We appreciate your effort to make Decidim more secure. 
+Security is very important to us. If you have any issue regarding security, please disclose the information responsibly by sending an email to security [at] decidim [dot] org and not by creating a github/metadecidim issue. We appreciate your effort to make Decidim more secure. See [full security policy](SECURITY.md).
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,27 @@
+# Security Policy
+
+## Supported Versions
+
+Until we have the version 1.0 we support only the last minor and major
+version with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.17.x   | :white_check_mark: |
+| < 0.16   | :x:                |
+
+## Reporting a Vulnerability
+
+Security is very important to us.
+
+If you have any issue regarding security, please disclose the information
+responsibly by sending an email to security [at] decidim [dot] org and not
+by creating a github/metadecidim issue. We appreciate your effort to make
+Decidim more secure.
+
+We recommend to use GPG for these kind of communications, the fingerprint
+is `C1BD 8981 D83C 23F9 D419 FE42 149A D0F9 84B9 35C4`. To download our key:
+
+```bash
+gpg --keyserver pgp.key-server.io --recv 84B935C4
+```