docs: add SECURITY.md

README.md

@@ -8,7 +8,7 @@ This repository contains a [devcontainer](https://docs.github.com/en/codespaces/
 
 ## State
 
-This repository is under active development; see [pulse](https://github.com/philips-software/amp-devcontainer/pulse) for more details;
+This repository is under active development; see [pulse](https://github.com/philips-software/amp-devcontainer/pulse) for more details.
 
 ## Description
 
@@ -60,6 +60,11 @@ See [CHANGELOG](./CHANGELOG.md) for more info on what's been changed.
 
 See [CONTRIBUTING](./CONTRIBUTING.md)
 
+## Reporting vulnerabilities
+
+If you find a vulnerability, please report it to us!
+See [SECURITY.md](./SECURITY.md) for more information.
+
 ## Licenses
 
 See [LICENSE](./LICENSE)

SECURITY.md

@@ -0,0 +1,15 @@
+# Security Policy
+
+## Supported Versions
+
+The [latest](https://github.com/philips-software/amp-devcontainer/releases/latest) version of
+amp-devcontainer is supported with security updates.
+
+## Reporting a Vulnerability
+
+If you find a significant vulnerability, or evidence of one, please report it privately.
+
+Vulnerabilities should be reported using [GitHub's mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). Under the
+[main repository's security tab](https://github.com/philips-software/amp-devcontainer/security), click "Report a vulnerability" to open the advisory form.
+
+A member of the amp-devcontainer team will triage the reported vulnerability and if the vulnerability is accepted a security advisory will be published and all further communication will be done via that security advisory.