Cover Security in the standard files

[hyandell]

I propose that the default files cover Security. Be it as text in the CONTRIBUTING.md, or via a SECURITY.md file. Ideally both, with the SECURITY.md going into the org's template directory.

Like the CoC, the security file will need some kind of unusual contact address.

[royaljust]

Thanks @hyandell - this is a bit out of my wheelhouse. Here is Microsoft's standard security reporting. But that feels a bit heavyweight from my perspective (24 hour SLA, etc.). Thoughts on how to handle? How is this typically handled outside of large companies?

[hyandell]

I asked around at OpenSSF on the topic. Some interesting things there that could lead to a good default text.

https://github.com/cncf/tag-security/tree/main/project-resources is one suggestion to consider; though I think the wg_identifying_security_threats group at OpenSSF may produce something more canonical.

[royaljust]

Noting that our security solution should leverage this beta feature from GitHub: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability. Leaving open to address once feature clears beta.