docs: add additional detail to security policy (#2488)

## Description Adding a security policy file to the repo ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/.github/CONTRIBUTING.md#developer-workflow) followed --------- Signed-off-by: Xander Grzywinski <[email protected]> Co-authored-by: razzle <[email protected]>
defenseunicorns · May 10, 2024 · 3060538 · 3060538
1 parent 9ca6e9a
commit 3060538
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -1,9 +1,21 @@
-# Security Policy
+# Reporting Security Issues
+
+To report a security issue or vulnerability in Zarf, please use the confidential GitHub Security Advisory ["Report a Vulnerability"](https://github.com/defenseunicorns/zarf/security/advisories) tab. The Zarf team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+
+### When Should I Report a Vulnerability?
+
+* You found a vulnerability in the Zarf code.
+* You found a vulnerability in one of the Zarf dependencies that affects the project that has not been patched yet.
+
+### When Should I NOT Report a Vulnerability?
+
+* You found a bug or malfunction in the Zarf code (not security related).
+* You want to add a feature to Zarf.
 
 ## Supported Versions
 
 As Zarf has not yet reached v1.0.0, only the current latest minor release is supported.
 
-## Reporting a Vulnerability
+## Contacting Us
 
-Please email `security-notice [at] defenseunicorns.com` to report a vulnerability. If you are unable to disclose details via email, please let us know and we can coordinate alternate communications.
+To discuss security related issues, please email the maintainers at [email protected].