chore: init SECURITY.md

SECURITY.md

@@ -0,0 +1,95 @@
+# Security Policy
+
+## Supported Versions
+
+Unless otherwise specified, we recommend to only use the most recent minor
+version release.
+
+## Reporting a Vulnerability
+
+**Please do not file a public ticket** mentioning the vulnerability.
+
+To disclose a vulnerability, please submit a `Security Advisory` via the
+`Security` tab on the impacted repository.
+
+If a repository doesn't have the proper security reporting set up, please email
+`[email protected]` to report the vulnerability.
+
+## Disclosure Policy
+
+Please first submit the vulnerability you discovered using the instructions in
+[Reporting a Vulnerability](#reporting-a-vulnerability). Once you have done so,
+you may share the details with third parties after either of the following,
+whichever is sooner:
+
+- the vulnerability has been fixed and the Astria security team has permitted
+  disclosure; or
+- 120 days have passed since your submission
+
+### Scope
+
+The scope of this security policy applies to the code repositories under the
+[@astriaorg](https://github.com/astriaorg) Github org and any related
+infrastructure.
+
+### Rewards
+
+Astria does not have a formal reward policy.
+Researchers should not expect compensation for discovering vulnerabilities.
+However, we are grateful for all legitimate vulnerability discoveries
+and will acknowledge researchers after a fix has been widely deployed.
+
+### Official Communication Channel
+
+All security updates will be communicated via the security advisories in the
+corresponding code repository that the vulnerability was reported.
+
+### Feedback on this Policy
+
+If you have suggestions for improving this policy, please submit a pull request.
+
+### What to Expect from Us
+
+When working with us according to this policy, you can expect us to:
+
+- Extend Safe Harbor protection for your vulnerability research related to this policy;
+- Work with you to understand and validate your report,
+  including providing a timely initial response to the submission;
+- Work to remediate discovered vulnerabilities in a timely manner; and
+- Recognize your contribution if you're the first to report
+  a unique vulnerability that triggers a code or configuration change.
+
+### Ground Rules for Researchers
+
+To encourage vulnerability research and to avoid any confusion between
+good-faith hacking and malicious attack, we ask that you:
+
+- Follow this policy and any other relevant agreements.
+- Report discovered vulnerabilities promptly.
+- Avoid violating privacy, disrupting systems, destroying data, or harming user experience.
+- Use only specified reporting method and official communication channels.
+- Keep vulnerability details confidential until fixed, as per the Disclosure Policy.
+- Test only in-scope systems and respect out-of-scope
+  systems and activities.
+- Limit data access when demonstrating a Proof of Concept, and immediately report any accidental access to sensitive data.
+- Interact only with test accounts you own or have explicit permission to use.
+- Do not engage in extortion.
+
+### Safe Harbor
+
+When conducting vulnerability research in full compliance with this policy and
+all applicable laws, we consider this research to be:
+
+- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)
+ (and/or similar state laws), and we will not initiate or support
+ legal action against you for accidental, good faith
+ violations of this policy;
+- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring
+a claim against you for circumvention of technology controls;
+- Exempt from restrictions in our Terms & Conditions that would interfere with
+conducting security research, and we waive those restrictions on a limited basis
+for work done under this policy; and
+- Lawful, helpful to the overall security of the Internet, and
+conducted in good faith.
+
+If you're unsure whether your research is consistent with this policy, please report through our official channels before proceeding.