From 8eef3e28a0bf4b9fb89f9e14874283df3425aef1 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Mon, 15 Sep 2025 15:04:06 -0300
Subject: [PATCH 1/2] doc: add minimal SECURITY md

---
 SECURITY.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000000..7a597c0e4e9c1
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,20 @@
+# Security
+
+## Reporting a vulnerability to Node.js Website
+
+Please report security issues **privately** using the **GitHub Security Advisory**
+workflow (Security → “Report a vulnerability”).
+
+Do **not** open a public GitHub issue for security problems.
+
+We aim to acknowledge reports within **7 business days**.
+If you do **not** receive an acknowledgement within **7 business days**,
+forward your report to **[tsc@nodejs.org](mailto:tsc@nodejs.org)**.
+
+## Disclosure & advisories
+
+Confirmed vulnerabilities will be published as a **GitHub Security Advisory**
+(and assigned a CVE when applicable). Notices are also shared via:
+
+- Node.js blog advisories: [https://nodejs.org/blog/vulnerability/](https://nodejs.org/blog/vulnerability/)
+  when necessary.

From f10024830cd122a587cb8889d08739d1cfbfc040 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Tue, 16 Sep 2025 10:52:58 -0300
Subject: [PATCH 2/2] fixup! doc: add minimal SECURITY md

---
 .github/CODEOWNERS | 1 +
 SECURITY.md        | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index a12b22ef5b80e..2e8ac23f5b9dc 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -36,6 +36,7 @@ LICENSE @nodejs/tsc
 GOVERNANCE.md @nodejs/tsc
 CONTRIBUTING.md @nodejs/nodejs-website @nodejs/web-infra
 docs @nodejs/nodejs-website @nodejs/web-infra
+SECURITY.md @nodejs/security-wg
 
 # Node.js Release Blog Posts
 apps/site/pages/en/blog/release @nodejs/releasers
diff --git a/SECURITY.md b/SECURITY.md
index 7a597c0e4e9c1..d6a456a375a0f 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -3,7 +3,7 @@
 ## Reporting a vulnerability to Node.js Website
 
 Please report security issues **privately** using the **GitHub Security Advisory**
-workflow (Security → “Report a vulnerability”).
+workflow ([Security → “Report a vulnerability”](https://github.com/nodejs/nodejs.org/security/advisories/new)).
 
 Do **not** open a public GitHub issue for security problems.