From 1d280608366d15728ac0983ef71e5ea389e0169d Mon Sep 17 00:00:00 2001
From: Jonathan Foote <jonathan@foote.pub>
Date: Wed, 29 Apr 2020 15:37:09 -0400
Subject: chore: add initial security policy (#2360)

Adds an initial security policy based on email discussions with @carllerche,
@hawkw, and co.
---
 SECURITY.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 SECURITY.md

(limited to 'SECURITY.md')

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..bf155ff9
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,13 @@
+## Report a security issue
+
+The Tokio project team welcomes security reports and is committed to providing prompt attention to security issues. Security issues should be reported privately via [security@tokio.rs](mailto:security@tokio.rs). Security issues should not be reported via the public Github Issue tracker.
+
+## Vulnerability coordination
+
+Remediation of security vulnerabilities is prioritized by the project team. The project team coordinates remediation with third-party project stakeholders via [Github Security Advisories](https://help.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories). Third-party stakeholders may include the reporter of the issue, affected direct or indirect users of Tokio, and maintainers of upstream dependencies if applicable.
+
+Downstream project maintainers and Tokio users can request participation in coordination of applicable security issues by sending your contact email address, Github username(s) and any other salient information to [security@tokio.rs](mailto:security@tokio.rs). Participation in security issue coordination processes is at the discretion of the Tokio team.
+
+## Security advisories
+
+The project team is committed to transparency in the security issue disclosure process. The Tokio team announces security issues via [project Github Release notes](https://github.com/tokio-rs/tokio/releases) and the [RustSec advisory database](https://github.com/RustSec/advisory-db) (i.e. `cargo-audit`).
-- 
cgit v1.2.3