Add SECURITY.md

Also modified the GitHub bug report issue template and PR template,
to make it clear they're not to be used to disclose security
vulnerabilities.

Fixes eclipse-theia#8795

Signed-off-by: Marc Dumais <[email protected]>

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,9 +1,13 @@
 ---
-name: Bug Report
+name: Bug Report (except security vulnerabilities)
 about: Create a report to help us improve
 ---
 
 <!-- Please provide a detailed description of the bug. -->
+<!-- Note: This template is not meant for security vulnerabilities disclosure -->
+<!-- Any such issue, created in this repo, will be deleted on sight -->
+<!-- Instead please report vulnerabilities to the Eclipse Foundation's security team -->
+<!-- For more details, please read SECURITY.md in the repository root -->
 ### Bug Description:
 
 <!-- Please provide clear steps to reproduce the bug. -->

.github/PULL_REQUEST_TEMPLATE.md

@@ -5,6 +5,12 @@ the requirements below.
 Contributors guide: https://github.com/theia-ide/theia/blob/master/CONTRIBUTING.md
 -->
 
+<!--
+Note: Security vulnerabilities should not be disclosed on GitHub, through a PR or any
+other means. See SECURITY.md at the root of this repository, to learn how to report
+vulnerabilities.
+-->
+
 #### What it does
 <!-- Include relevant issues and describe how they are addressed. -->
 

SECURITY.md

@@ -0,0 +1,11 @@
+# Eclipse Theia Vulnerability Reporting Policy
+
+If you think or suspect that you have discovered a new security vulnerability
+in this project, please __do not__ disclose it on GitHub, e.g. in an issue, a
+PR, or a discussion. Any such disclosure will be removed/deleted on sight, to
+insure orderly disclosure, as per the Eclipse Foundation Security Policy (1).
+
+Instead, please report any potential vulnerability to the Eclipse Foundation [Security Team](https://www.eclipse.org/security/).
+
+(1) _Eclipse Foundation Vulnerability Reporting Policy_:
+[https://www.eclipse.org/security/policy.php](https://www.eclipse.org/security/policy.php)