Merge pull request #45 from hyperledger-best-practice-audit/master

ryjones · web-flow · commit 2accad44c4b0 · 2019-09-28T19:02:42.000-07:00
Add default SECURITY policy
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,23 @@
+# Hyperledger Security Policy
+
+## Reporting a Security Bug
+
+If you think you have discovered a security issue in any of the Hyperledger
+projects, we'd love to hear from you. We will take all security bugs
+seriously and if confirmed upon investigation we will patch it within a
+reasonable amount of time and release a public security bulletin discussing
+the impact and credit the discoverer.
+
+There are two ways to report a security bug. The easiest is to email a
+description of the flaw and any related information (e.g. reproduction
+steps, version) to
+[security at hyperledger dot org](mailto:security@hyperledger.org).
+
+The other way is to file a confidential security bug in our
+[JIRA bug tracking system](https://jira.hyperledger.org).
+Be sure to set the “Security Level” to “Security issue”.
+
+The process by which the Hyperledger Security Team handles security bugs
+is documented further in our
+[Defect Response](https://wiki.hyperledger.org/display/HYP/Defect+Response)
+page on our [wiki](https://wiki.hyperledger.org).
