Added SECURITY.md, a description of the security issue handling process

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

1 files changed, 32 insertions, 0 deletions

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..34303f1267
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,32 @@
+# GnuTLS -- Information about our security issue handling process
+
+ Security issues are reported either to [issue tracker](https://gitlab.com/gnutls/gnutls/issues)
+as private bugs, or on the bug report mail address.
+
+The following steps describe the steps we recommend to use to address the
+issue.
+
+# Which issues are security issues
+
+A metric we consult to assessing security vulnerabilities is
+the [CVSS](https://www.first.org/cvss) metric. Only vulnerabilities
+at the high or critical level are handled with this process. Other
+issues are handled with the normal release process.
+
+# Committing a fix
+
+The fix when is made available, preferrably within 3 months of the report,
+is pushed to the repository using a detailed message on all supported
+branches which are affected. The commit message must refer to the bug
+report addressed (e.g., our issue tracker or some external issue tracker).
+
+# Releasing
+
+Currently our releases are time-based, thus there are no special releases
+targetting security fixes. At release time the NEWS entries must reflect
+the issues addressed (also referring to the relevant issue trackers), and
+security-related entries get assigned a GNUTLS-SA (gnutls security advisory
+number). The assignment is done at release time at the web repository, in
+the 'security-entries' path. The number assigned is the year separated
+with a dash with the first unassigned number for the year.
+