docs: add security policy (#4347)

rjaegers · web-flow · commit b4c3f9d15aef · 2025-01-10T11:12:32.000+01:00
This PR adds a SECURITY.md document describing how to report a
vulnerability.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,10 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you find a vulnerability, or evidence of one, please report it privately.
+
+Vulnerabilities should be reported using [GitHub's mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). Under the
+[main repository's security tab](https://github.com/github-aws-runners/terraform-aws-github-runner/security), click "Report a vulnerability" to open the advisory form.
+
+A member of the terraform-aws-github-runner team will triage the reported vulnerability and if the vulnerability is accepted a security advisory will be published and all further communication will be done via that security advisory.
