docs: include GitHub Security Advisory

related expressjs/security-wg#30
expressjs · UlisesGascon · Apr 20, 2025 · Mar 8, 2025 · Mar 8, 2025 · Mar 8, 2025
commit 2b51ec91d4b5f333605d39e6bb691ba1d90a0180
diff --git a/SECURITY.md b/SECURITY.md
@@ -7,27 +7,41 @@ project.
   * [Disclosure Policy](#disclosure-policy)
   * [Comments on this Policy](#comments-on-this-policy)
 
-## Reporting a Bug
+## Reporting a Bug or Security Vulnerability  
 
-The Express team and community take all security bugs in Express seriously.
-Thank you for improving the security of Express. We appreciate your efforts and
-responsible disclosure and will make every effort to acknowledge your
-contributions.
+The Express team and community take all security vulnerabilities seriously. 
+Thank you for improving the security of Express and related projects. 
+We appreciate your efforts in responsible disclosure and will make every effort 
+to acknowledge your contributions.  
 
-Report security bugs by emailing `express-security@lists.openjsf.org`.
+### Reporting Security Bugs via GitHub Security Advisory (Preferred)  
 
-To ensure the timely response to your report, please ensure that the entirety
-of the report is contained within the email body and not solely behind a web
-link or an attachment.
+The preferred way to report security vulnerabilities is through 
+[GitHub Security Advisories](https://github.com/advisories). 
+This allows us to collaborate on a fix while maintaining the 
+confidentiality of the report.  
 
-The lead maintainer will acknowledge your email within 48 hours, and will send a
-more detailed response within 48 hours indicating the next steps in handling
-your report. After the initial reply to your report, the security team will
-endeavor to keep you informed of the progress towards a fix and full
-announcement, and may ask for additional information or guidance.
+To report a vulnerability
+([docs](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability)):  
+1. Visit the **Security** tab of the affected repository on GitHub.  
+2. Click **Report a vulnerability** and follow the provided steps.  
+
+This process applies to any repositories within the Express ecosystem. 
+If you are unsure whether a repository falls under this policy, 
+feel free to reach out via email.  
+
+### Reporting via Email  
+
+If you prefer, you can also report security issues by emailing `express-security@lists.openjsf.org`.  
+
+To ensure a timely response, please include all relevant details directly in the email body rather than linking to external sources or attaching files.  
+
+The lead maintainer will acknowledge your email within 48 hours and provide an initial response outlining the next steps. The security team will keep you updated on the progress and may request additional details.  
+
+### Third-Party Modules  
+
+If the security issue pertains to a third-party module that is not directly maintained within the Express ecosystem, please report it to the maintainers of that module.  
 
-Report security bugs in third-party modules to the person or team maintaining
-the module.
 
 ## Disclosure Policy