Merge pull request #1013 from mprpic/add-security-policy

Add a Security policy file

Author: mergify[bot]

SECURITY.md

@@ -0,0 +1,26 @@
+# Security policy
+
+## Supported versions
+
+Security updates are applied to the latest release only.
+
+## Reporting a vulnerability
+
+If you find a vulnerability in fromager, please report it using GitHub's
+vulnerability reporting under the _Security and quality_ tab (see [GitHub
+documentation](https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/privately-reporting-a-security-vulnerability)
+for more information).
+
+**Please do not report security vulnerabilities through public GitHub
+issues.**
+
+In addition to the description of the vulnerability, if possible please
+include a short reproducer, a proposed severity rating, and other
+classifying metadata such as a [CWE](https://cwe.mitre.org/) ID or a
+[CVSS](https://www.first.org/cvss/) score.
+
+## Disclosure Policy
+
+We follow a coordinated disclosure process. We ask that you give us a
+reasonable amount of time to address the vulnerability before making
+any public disclosure.