docs: publish a security policy

jordanbtucker · jordanbtucker · commit f0fd9e194dde · 2022-12-23T17:38:50.000-06:00
diff --git a/.github/issue_template.md b/.github/issue_template.md
@@ -1,3 +1,7 @@
+If you are reporting a security vulnerability, please do not submit an issue.
+Instead, follow the guidelines described in our
+[security policy](../blob/main/SECURITY.md).
+
 If you are submitting a bug report because you are receiving an error or because
 this project is incompatible with the [official JSON5 specification][spec],
 please continue.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -1,3 +1,7 @@
+If you are patching a security vulnerability, please do not submit a pull
+request. Instead, follow the guidelines described in our
+[security policy](../blob/main/SECURITY.md).
+
 If you are submitting a bug fix for an an error or fixing an incompatibility
 with the [official JSON5 specification][spec], please continue.
 
diff --git a/README.md b/README.md
@@ -244,6 +244,10 @@ that compatibility is a fundamental premise of JSON5.
 To report bugs or request features regarding this **JavaScript implementation**
 of JSON5, please submit an issue to **_this_ repository**.
 
+### Security Vulnerabilities and Disclosures
+To report a security vulnerability, please follow the follow the guidelines
+described in our [security policy](./SECURITY.md).
+
 ## License
 MIT. See [LICENSE.md](./LICENSE.md) for details.
 
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,36 @@
+# JSON5 Security Policy
+
+We take security seriously. Responsible reporting and disclosure of security
+vulnerabilities is important for the protection and privacy of our users. If you
+discover any security vulnerabilities, please follow these guidelines.
+
+To report a vulnerability, we recommend submitting a report to Snyk using their
+[vulnerability disclosure form](https://snyk.io/vulnerability-disclosure/).
+Snyk's security team will validate the vulnerability and coordinate with you and
+us to fix it, release a patch, and responsibly disclose the vulnerability. Read
+Snyk's
+[Vulnerability Disclosure Policy](https://docs.snyk.io/more-info/disclosing-vulnerabilities/disclose-a-vulnerability-in-an-open-source-package)
+for details.
+
+We also request that you send an email to
+[security@json5.org](mailto:security@json5.org) detailing the vulnerability.
+This ensures that we can begin work on a fix as soon as possible without waiting
+for Snyk to contact us.
+
+Please do not report undisclosed vulnerabilities on public sites or forums,
+including GitHub issues and pull requests. Reporting vulnerabilities to the
+public could allow attackers to exploit vulnerable applications before we have
+been able to release a patch and before applications have had time to install
+the patch. Once we have released a patch and sufficient time has passed for
+applications to install the patch, we will disclose the vulnerability to the
+public, at which time you will be free to publish details of the vulnerability
+on public sites and forums.
+
+If you have a fix for a security vulnerability, please do not submit a GitHub
+pull request. Instead, report the vulnerability as described in this policy and
+include a potential fix in the report. Once the vulnerability has been verified
+and a disclosure timeline has been decided, we will contact you to see if you
+would like to submit a pull request.
+
+We appreciate your cooperation in helping keep our users safe by following this
+policy.
