add security.rst to docs, unblock some URLs

.github/workflows/main.yml

@@ -84,6 +84,8 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
+            api.github.com:443
+            dap.service.does.not.exist:443
             files.pythonhosted.org:443
             github.com:443
             pypi.org:443

SECURITY.md

@@ -1,5 +1,7 @@
 # Security Policy
 
+[//]: # (ATTENTION: This is the Markdown version of docs/security.rst. Any changes should also be made in the ReStructuredText version.)
+
 ## Supported Versions
 
 `xclim` is in rapid development and receives regular updates every four to six (4-6) weeks. In the event of a security-related bug discovery soon after the release of an `xclim` version, the last supported version will receive a patch release.

docs/index.rst

@@ -41,6 +41,7 @@ Leveraging xarray and dask, users can easily bias-adjust climate simulations ove
 
    authors
    changes
+   security
    references
 
 .. toctree::

docs/security.rst

@@ -0,0 +1,46 @@
+===============
+Security Policy
+===============
+
+..
+    This is the ReStructuredText version of SECURITY.md. Any changes should also be made in the Markdown version.
+
+Supported Versions
+==================
+
+`xclim` is in rapid development and receives regular updates every four to six (4-6) weeks. In the event of a security-related bug discovery soon after the release of an `xclim` version, the last supported version will receive a patch release.
+
+Reporting a Vulnerability
+=========================
+
+If you believe you have found a security vulnerability in `xclim`, we encourage you to let us know right away. We take all security vulnerabilities seriously and appreciate your efforts to responsibly disclose them.
+
+Please follow these steps to report a security vulnerability:
+
+#. **Email**: Email `[email protected] <mailto:[email protected]>`_ with a detailed description of the vulnerability. If applicable, please include any steps or a proof-of-concept to help us understand and reproduce the issue.
+
+#. **Encryption (Optional)**: If you are concerned about the sensitivity of the information you are sharing, you can use the PGP key found below to encrypt your communication.
+
+#. **Response**: We will acknowledge your email within 48 hours and work with you to understand and confirm the vulnerability.
+
+#. **Fix and Disclosure**: Once the vulnerability is confirmed, we will work to address it promptly. We appreciate your patience as we investigate and implement a fix. Once resolved, we will coordinate the disclosure and provide credit to the reporter unless they prefer to remain anonymous.
+
+PGP Encryption Key
+==================
+
+You can use the following PGP key to encrypt your communications with us::
+
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+    mDMEZamQrhYJKwYBBAHaRw8BAQdA+saPvmvr1MYe1nQy3n3QDcRE9T7UzTJ1XH31
+    EI4Zb6u0Mk91cmFub3MgR2l0SHViIFN1cHBvcnQgPGdpdGh1Yi1zdXBwb3J0QG91
+    cmFub3MuY2E+iJkEExYKAEEWIQSeAu+Cbjupx79jy9VeVFD6o5TVcwUCZamQrgIb
+    AwUJCWYBgAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRBeVFD6o5TVc4ho
+    AQDXjDkx0b3A7yl6PQ4hBJ2uYzw0UWbml7mUwVdhMmdZkQD/VJZQNWrCQeOtYEM8
+    icZJYwR/OsKFOWqlDytusGGtjwa4OARlqZCuEgorBgEEAZdVAQUBAQdAa41Zabjz
+    P9O+p6tI69Cnft6U5om3+qCcMo8amTqauH0DAQgHiH4EGBYKACYWIQSeAu+Cbjup
+    x79jy9VeVFD6o5TVcwUCZamQrgIbDAUJCWYBgAAKCRBeVFD6o5TVcwmaAQClDxW6
+    2gir7lhRXAcO+vmRImpGd29TrkcQVh+ak7VlwQEA706d7Kusiorlf/h8pLSoNMmS
+    kuLGmHpUJ8NVGppU+wo=
+    =wuxr
+    -----END PGP PUBLIC KEY BLOCK-----