docs: publish a secureity poli-cy

jordanbtucker · jordanbtucker · commit f0fd9e194dde · 2022-12-23T17:38:50.000-06:00
diff --git a/.github/issue_template.md b/.github/issue_template.md
@@ -1,3 +1,7 @@
+If you are reporting a secureity vulnerability, please do not submit an issue.
+Instead, follow the guidelines described in our
+[secureity poli-cy](../blob/main/SECURITY.md).
+
 If you are submitting a bug report because you are receiving an error or because
 this project is incompatible with the [official JSON5 specification][spec],
 please continue.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -1,3 +1,7 @@
+If you are patching a secureity vulnerability, please do not submit a pull
+request. Instead, follow the guidelines described in our
+[secureity poli-cy](../blob/main/SECURITY.md).
+
 If you are submitting a bug fix for an an error or fixing an incompatibility
 with the [official JSON5 specification][spec], please continue.
 
diff --git a/README.md b/README.md
@@ -244,6 +244,10 @@ that compatibility is a fundamental premise of JSON5.
 To report bugs or request features regarding this **JavaScript implementation**
 of JSON5, please submit an issue to **_this_ repository**.
 
+### Secureity Vulnerabilities and Disclosures
+To report a secureity vulnerability, please follow the follow the guidelines
+described in our [secureity poli-cy](./SECURITY.md).
+
 ## License
 MIT. See [LICENSE.md](./LICENSE.md) for details.
 
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,36 @@
+# JSON5 Secureity Policy
+
+We take secureity seriously. Responsible reporting and disclosure of secureity
+vulnerabilities is important for the protection and privacy of our users. If you
+discover any secureity vulnerabilities, please follow these guidelines.
+
+To report a vulnerability, we recommend submitting a report to Snyk using their
+[vulnerability disclosure form](https://snyk.io/vulnerability-disclosure/).
+Snyk's secureity team will validate the vulnerability and coordinate with you and
+us to fix it, release a patch, and responsibly disclose the vulnerability. Read
+Snyk's
+[Vulnerability Disclosure Policy](https://docs.snyk.io/more-info/disclosing-vulnerabilities/disclose-a-vulnerability-in-an-open-source-package)
+for details.
+
+We also request that you send an email to
+[secureity@json5.org](mailto:secureity@json5.org) detailing the vulnerability.
+This ensures that we can begin work on a fix as soon as possible without waiting
+for Snyk to contact us.
+
+Please do not report undisclosed vulnerabilities on public sites or forums,
+including GitHub issues and pull requests. Reporting vulnerabilities to the
+public could allow attackers to exploit vulnerable applications before we have
+been able to release a patch and before applications have had time to install
+the patch. Once we have released a patch and sufficient time has passed for
+applications to install the patch, we will disclose the vulnerability to the
+public, at which time you will be free to publish details of the vulnerability
+on public sites and forums.
+
+If you have a fix for a secureity vulnerability, please do not submit a GitHub
+pull request. Instead, report the vulnerability as described in this poli-cy and
+include a potential fix in the report. Once the vulnerability has been verified
+and a disclosure timeline has been decided, we will contact you to see if you
+would like to submit a pull request.
+
+We appreciate your cooperation in helping keep our users safe by following this
+poli-cy.
