feat(security): responsible disclosure policy

lirantal · lirantal · commit dd870ea1ebd9 · 2019-07-13T11:01:37.000+01:00
diff --git a/README.md b/README.md
@@ -11,8 +11,9 @@
   <a href="https://www.npmjs.org/package/create-node-lib"><img src="https://badgen.net/npm/license/create-node-lib"alt="license"/></a>
   <a href="https://www.npmjs.org/package/create-node-lib"><img src="https://badgen.net/npm/dt/create-node-lib"alt="downloads"/></a>
   <a href="https://travis-ci.org/lirantal/create-node-lib"><img src="https://badgen.net/travis/lirantal/create-node-lib" alt="build"/></a>
-  <a href="https://github.com/saojs/awesome-sao"><img src="https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg" alt="Awesome"/></a>
   <a href="https://snyk.io/test/github/lirantal/create-node-lib"><img src="https://snyk.io/test/github/lirantal/create-node-lib/badge.svg" alt="Known Vulnerabilities"/></a>
+  <a href="./SECURITY.md"><img src="https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg" alt="Responsible Disclosure Policy" /></a>
+  <a href="https://github.com/saojs/awesome-sao"><img src="https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg" alt="Awesome"/></a>
 </p>
 
 # About
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security Policy
+
+## Responsible disclosure security policy
+
+A responsible disclosure policy helps protect users of the project from publicly disclosed security vulnerabilities without a fix by employing a process where vulnerabilities are first triaged in a private manner, and only publicly disclosed after a reasonable time period that allows patching the vulnerability and provides an upgrade path for users.
+
+When contacting us directly via email, we will do our best efforts to respond in a reasonable time to resolve the issue. When contacting a security program their disclosure policy will provide details on time-frame, processes and paid bounties.
+
+We kindly ask you to refrain from malicious acts that put our users, the project, or any of the project’s team members at risk.
+
+## Reporting a security issue
+
+We consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
+
+If you discover a security vulnerability, please use one of the following means of communications to report it to us:
+
+- Report the security issue to the Node.js Security WG through the [HackerOne program](https://hackerone.com/nodejs-ecosystem) for ecosystem modules on npm, or to [Snyk Security Team](https://snyk.io/vulnerability-disclosure). They will help triage the security issue and work with all involved parties to remediate and release a fix.
+
+Note that time-frame and processes are subject to each program’s own policy.
+
+- Report the security issue to the project maintainers directly.
+
+Your efforts to responsibly disclose your findings are sincerely appreciated and will be taken into account to acknowledge your contributions.
diff --git a/template/README.md b/template/README.md
@@ -13,7 +13,7 @@
   <a href="https://travis-ci.org/<%= username %>/<%= projectName %>"><img src="https://badgen.net/travis/<%= username %>/<%= projectName %>" alt="build"/></a>
   <a href="https://codecov.io/gh/<%= username %>/<%= projectName %>"><img src="https://badgen.net/codecov/c/github/<%= username %>/<%= projectName %>" alt="codecov"/></a>
   <a href="https://snyk.io/test/github/<%= username %>/<%= projectName %>"><img src="https://snyk.io/test/github/<%= username %>/<%= projectName %>/badge.svg" alt="Known Vulnerabilities"/></a>
-  <a href="https://github.com/nodejs/security-wg/blob/master/processes/responsible_disclosure_template.md"><img src="https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg" alt="Security Responsible Disclosure" /></a>
+  <a href="./SECURITY.md"><img src="https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg" alt="Responsible Disclosure Policy" /></a>
 </p>
 
 # About
diff --git a/template/SECURITY.md b/template/SECURITY.md
@@ -0,0 +1,23 @@
+# Security Policy
+
+## Responsible disclosure security policy
+
+A responsible disclosure policy helps protect users of the project from publicly disclosed security vulnerabilities without a fix by employing a process where vulnerabilities are first triaged in a private manner, and only publicly disclosed after a reasonable time period that allows patching the vulnerability and provides an upgrade path for users.
+
+When contacting us directly via email, we will do our best efforts to respond in a reasonable time to resolve the issue. When contacting a security program their disclosure policy will provide details on time-frame, processes and paid bounties.
+
+We kindly ask you to refrain from malicious acts that put our users, the project, or any of the project’s team members at risk.
+
+## Reporting a security issue
+
+We consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
+
+If you discover a security vulnerability, please use one of the following means of communications to report it to us:
+
+- Report the security issue to the Node.js Security WG through the [HackerOne program](https://hackerone.com/nodejs-ecosystem) for ecosystem modules on npm, or to [Snyk Security Team](https://snyk.io/vulnerability-disclosure). They will help triage the security issue and work with all involved parties to remediate and release a fix.
+
+Note that time-frame and processes are subject to each program’s own policy.
+
+- Report the security issue to the project maintainers directly.
+
+Your efforts to responsibly disclose your findings are sincerely appreciated and will be taken into account to acknowledge your contributions.
