From 56dad288dcb9fa8925d472c3f592c7837c1f24d8 Mon Sep 17 00:00:00 2001
From: Michael Stapelberg <stapelberg@golang.org>
Date: Wed, 3 Jan 2024 13:54:02 +0100
Subject: [PATCH] all: add Security Policy (SECURITY.md)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This should help direct reports to the correct channel.

Change-Id: I468fc5ecaf81d9c8b95765f1fd7de9c5b5adaf2e
Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/553576
Reviewed-by: Christian Höppner <hoeppi@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 SECURITY.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..4648e5e3
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,4 @@
+To report a security issue, please use [https://g.co/vulnz](https://g.co/vulnz).
+We use g.co/vulnz for our intake, and do coordination and disclosure here on
+GitHub (including using GitHub Security Advisory). The Google Security Team will
+respond within 5 working days of your report on g.co/vulnz.