From 59fcab281ebfe8aa6ff6c3e0835f5cd3379b06ba Mon Sep 17 00:00:00 2001
From: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
Date: Mon, 19 Apr 2021 14:41:51 +0200
Subject: [PATCH 1/2] docs: initial security policy

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
---
 .github/SECURITY.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 .github/SECURITY.md

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 00000000..9decd34e
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,24 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+To report a vulnerability, send an email to [cncf-dex-maintainers@lists.cncf.io](mailto:cncf-dex-maintainers@lists.cncf.io)
+detailing the issue and steps to reproduce. The reporter(s) can expect a
+response within 48 hours acknowledging the issue was received. If a response is
+not received within 48 hours, please reach out to any maintainer directly
+to confirm receipt of the issue.
+
+## Review Process
+
+Once a maintainer has confirmed the relevance of the report, a draft security
+advisory will be created on Github. The draft advisory will be used to discuss
+the issue with maintainers, the reporter(s).
+If the reporter(s) wishes to participate in this discussion, then provide
+reporter Github username(s) to be invited to the discussion. If the reporter(s)
+does not wish to participate directly in the discussion, then the reporter(s)
+can request to be updated regularly via email.
+
+If the vulnerability is accepted, a timeline for developing a patch, public
+disclosure, and patch release will be determined. The reporter(s) are expected
+to participate in the discussion of the timeline and abide by agreed upon dates
+for public disclosure.

From bf8c35ad2d1d74ba95e3296f60f8cb98be62ca23 Mon Sep 17 00:00:00 2001
From: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
Date: Mon, 19 Apr 2021 14:47:21 +0200
Subject: [PATCH 2/2] docs: update readme linking to the security policy

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
---
 README.md | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 190ddf52..6ae2a7b0 100644
--- a/README.md
+++ b/README.md
@@ -102,13 +102,9 @@ All changes or deprecations of connector features will be announced in the [rele
 * Client libraries
   * [Go][go-oidc]
 
-## Reporting a security vulnerability
+## Reporting a vulnerability
 
-Due to their public nature, GitHub and mailing lists are NOT appropriate places
-for reporting vulnerabilities.
-
-Please email the [maintainers list](mailto:cncf-dex-maintainers@lists.cncf.io) to report issues that may
-be security-related.
+Please see our [security policy](.github/SECURITY.md) for details about reporting vulnerabilities.
 
 ## Getting help