Create a Security Policy

[joycebrum]

Closes #498

I’ve created the SECURITY.md file considering the report vulnerability through security advisory, which is a new github feature still in beta and that has to be enabled.

If you rather not enabling it there is also the possibility to receive the vulnerability report through an email, in this case just let me know which email it would be and I’ll submit the change.

Besides that feel free to edit or suggest any changes to this document, it is supposed to reflect the amount of effort the team can offer to handle vulnerabilities.

[eliben]

I'm not sure what the 90 day disclosure is and how it applies here.

14 days would be better than 7

[joycebrum]

The 90 days to disclosure is regarding the Public Vulnerability Disclosure, which is basically when the vulnerability will be made public to users know about it and work in their own remediations.

In github there is the Security Advisory which is used to do this public vulnerability disclosure.

AFAIK, there is some possible standard rules a project/org may adopt, which 90 days to disclosure is one of them:

• until it is fixed;
• until a certain amount of time has passed since a report was first submitted; (the 90 days for example)

According to tech target blog, most industry vendors, as well as Google's Project Zero team, recommend a 90-day deadline to fix a vulnerability before full public disclosure, with a seven-day requirement for critical security issues but fewer than seven days for critical vulnerabilities being actively exploited.

Let me know if you want to keep the 90 days of public disclosure or if you rather remove this part of the document and perhaps use the "until it is fixed" rule.