docs(security): add Security Policy

Co-authored-by: Anton Sapozhnikov <[email protected]> Co-authored-by: Patrik Nordlén <[email protected]> Co-authored-by: Samuel Kelemen <[email protected]>
einride · Oct 1, 2024 · eac7018 · eac7018
1 parent 685d3bb
commit eac7018
Showing 1 changed file with 33 additions and 7 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -1,12 +1,38 @@
 # Security Policy
 
-## Supported Versions
+Einride welcomes feedback from security researchers and the general public to help improve our
+security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other
+security issues in relation to this project, we want to hear from you. This policy outlines steps
+for reporting security issues to us, what we expect, and what you can expect from us.
 
-We release patches for security vulnerabilities. This project is currently stable (v1.x) and only
-the latest version will receive security patches.
+## Supported versions
 
-## Reporting a Vulnerability
+We release patches for security issues according to semantic versioning. This project is currently
+unstable (v0.x) and only the latest version will receive security patches.
 
-Please report (suspected) security vulnerabilities to
-**[[email protected]](mailto:[email protected])**. You will receive a response from
-us within 2 business days. If the issue is confirmed, we will release a patch as soon as possible.
+## Reporting a vulnerability
+
+Please do not report security vulnerabilities through public issues, discussions, or change
+requests.
+
+Please report security issues via [[email protected]][email]. Provide all relevant
+information, including steps to reproduce the issue, any affected versions, and known mitigations.
+The more details you provide, the easier it will be for us to triage and fix the issue. You will
+receive a response from us within 2 business days. If the issue is confirmed, a patch will be
+released as soon as possible.
+
+For more information, or security issues not relating to open source code, please consult our
+[Vulnerability Disclosure Policy][vdp].
+
+## Preferred languages
+
+English is our preferred language of communication.
+
+## Contributions and recognition
+
+We appreciate every contribution and will do our best to publicly [acknowledge][acknowledgments]
+your contributions.
+
+[acknowledgments]: https://einride.tech/security-acknowledgments.txt
+[email]: mailto:[email protected]
+[vdp]: https://www.einride.tech/vulnerability-disclosure-policy