Merge pull request #52 from cisco-ospo/incorporate-ossf-security-md

Adapt phrasing from `ossf/scorecard` to `SECURITY.md` policy template

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -33,6 +33,7 @@ body:
         - v1.0.0
         - v1.0.1
         - v1.0.2
+        - v1.0.3
       default: 0
     validations:
       required: false

CHANGELOG.md

@@ -12,6 +12,19 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 
 ### TBA
 
+## [1.0.3] - 2024-07-29
+
+### Added
+
+* Minor `README` fixes by @lelia in #42
+* Bump the github group with 2 updates by @dependabot in #43
+* Bump step-security/harden-runner from 2.7.1 to 2.8.1 by @dependabot in #44
+* Bump step-security/harden-runner from 2.8.1 to 2.9.0 by @dependabot in #45
+* Issue form & template fixes by @lelia in #47
+* Fix `CONTRIBUTION.md` link by @lelia in #49
+* Adapt phrasing from `ossf/scorecard` to `SECURITY.md` policy template by
+  @lelia in #52
+
 ## [1.0.2] - 2024-07-12
 
 ### Added
@@ -57,7 +70,8 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 * Deprecate Renovate and fix GitHub URL refs by @lelia in #14
 * Bump actions/checkout from 3.6.0 to 4.1.1 by @dependabot in #15
 
-[unreleased]: https://github.com/cisco-ospo/oss-template/compare/v1.0.2...HEAD
+[unreleased]: https://github.com/cisco-ospo/oss-template/compare/v1.0.3...HEAD
+[1.0.3]: https://github.com/cisco-ospo/oss-template/releases/tag/v1.0.3
 [1.0.2]: https://github.com/cisco-ospo/oss-template/releases/tag/v1.0.2
 [1.0.1]: https://github.com/cisco-ospo/oss-template/releases/tag/v1.0.1
 [1.0.0]: https://github.com/cisco-ospo/oss-template/releases/tag/v1.0.0

SECURITY.md

@@ -3,37 +3,55 @@
 This document outlines security procedures and general policies for the
 `<project name>` project.
 
-- [Reporting a Bug](#reporting-a-bug)
-- [Disclosure Policy](#disclosure-policy)
-- [Comments on this Policy](#comments-on-this-policy)
+- [Disclosing a security issue](#disclosing-a-security-issue)
+- [Vulnerability management](#vulnerability-management)
+- [Suggesting changes](#suggesting-changes)
 
-## Reporting a Bug
+## Disclosing a security issue
 
-The `<project name>` team and community take all security bugs in `<project
-name>` seriously. Thank you for improving the security of `<project name>`. We
-appreciate your efforts and responsible disclosure and will make every effort to
-acknowledge your contributions.
+The `<project name>` maintainers take all security issues in the project
+seriously. Thank you for improving the security of `<project name>`. We
+appreciate your dedication to responsible disclosure and will make every effort
+to acknowledge your contributions.
 
-Report security bugs by emailing `[email protected]`.
+`<project name>` leverages GitHub's private vulnerability reporting.
 
-The lead maintainer will acknowledge your email within 48 hours, and will send a
-more detailed response within 48 hours indicating the next steps in handling
-your report. After the initial reply to your report, the security team will
-endeavor to keep you informed of the progress towards a fix and full
-announcement, and may ask for additional information or guidance.
+To learn more about this feature and how to submit a vulnerability report,
+review [GitHub's documentation on private reporting](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability).
 
-## Disclosure Policy
+Here are some helpful details to include in your report:
 
-When the security team receives a security bug report, they will assign it to a
-primary handler. This person will coordinate the fix and release process,
-involving the following steps:
+- a detailed description of the issue
+- the steps required to reproduce the issue
+- versions of the project that may be affected by the issue
+- if known, any mitigations for the issue
 
-- Confirm the problem and determine the affected versions.
-- Audit code to find any potential similar problems.
-- Prepare fixes for all releases still under maintenance. These fixes will be
-  released as quickly as possible.
+A maintainer will acknowledge the report within three (3) business days, and
+will send a more detailed response within an additional three (3) business days
+indicating the next steps in handling your report.
 
-## Comments on this Policy
+If you've been unable to successfully draft a vulnerability report via GitHub
+or have not received a response during the alloted response window, please
+reach out via the [Cisco Open security contact email](mailto:[email protected]).
 
-If you have suggestions on how this process could be improved please submit a
-pull request.
+After the initial reply to your report, the maintainers will endeavor to keep
+you informed of the progress towards a fix and full announcement, and may ask
+for additional information or guidance.
+
+## Vulnerability management
+
+When the maintainers receive a disclosure report, they will assign it to a
+primary handler.
+
+This person will coordinate the fix and release process, which involves the
+following steps:
+
+- confirming the issue
+- determining affected versions of the project
+- auditing code to find any potential similar problems
+- preparing fixes for all releases under maintenance
+
+## Suggesting changes
+
+If you have suggestions on how this process could be improved please submit an
+issue or pull request.