From 1a8adee4ebc49970ec92a148280b3ea87ea25b24 Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Wed, 3 Jul 2024 16:34:29 -0400 Subject: [PATCH] SECURITY: Reference LF policy and add fallback security contact Signed-off-by: Stephen Augustus --- SECURITY.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 03b0e1ccbda..62a1dcee315 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -3,6 +3,9 @@ This document outlines security procedures and general policies for the OpenSSF Scorecard project. +This policy adheres to the [vulnerability management guidance](https://www.linuxfoundation.org/security) +for Linux Foundation projects. + - [Disclosing a security issue](#disclosing-a-security-issue) - [Vulnerability management](#vulnerability-management) - [Suggesting changes](#suggesting-changes) @@ -28,9 +31,15 @@ Here are some helpful details to include in your report: A maintainer will acknowledge the report within 72 hours, and will send a more detailed response within an additional 72 hours indicating the next steps in -handling your report. After the initial reply to your report, the maintainers -will endeavor to keep you informed of the progress towards a fix and full -announcement, and may ask for additional information or guidance. +handling your report. + +If you've been unable to successfully draft a vulnerability report via GitHub +or have not received a response during the alloted response window, please +reach out via the [OpenSSF security contact email](mailto:security@openssf.org). + +After the initial reply to your report, the maintainers will endeavor to keep +you informed of the progress towards a fix and full announcement, and may ask +for additional information or guidance. ## Vulnerability management