Merge pull request #1365 from urfave/security-policy-doc

meatballhat · web-flow · commit 939ab7f9e73b · 2022-05-22T09:53:13.000-04:00
Add a security policy document
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -55,11 +55,12 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting Dan Buch at dan@meatballhat.com. All complaints will be
-reviewed and investigated and will result in a response that is deemed necessary
-and appropriate to the circumstances. The project team is obligated to maintain
-confidentiality with regard to the reporter of an incident.  Further details of
-specific enforcement policies may be posted separately.
+reported by contacting urfave-governance@googlegroups.com, a members-only group
+that is world-postable. All complaints will be reviewed and investigated and
+will result in a response that is deemed necessary and appropriate to the
+circumstances. The project team is obligated to maintain confidentiality with
+regard to the reporter of an incident. Further details of specific enforcement
+policies may be posted separately.
 
 Project maintainers who do not follow or enforce the Code of Conduct in good
 faith may face temporary or permanent repercussions as determined by other
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
@@ -0,0 +1,27 @@
+# Security Policy
+
+Hello and thank you for your interest in the `urfave/cli` security
+policy! :tada: :lock:
+
+## Supported Versions
+
+| Version      | Supported                             |
+| ------------ | ------------------------------------- |
+| `>= v2.3.x`  | :white_check_mark:                    |
+| `< v2.3`     | :x:                                   |
+| `>= v1.22.x` | :white_check_mark: :lady_beetle: [^1] |
+| `< v1.22`    | :x:                                   |
+
+## Reporting a Vulnerability
+
+Please disclose any vulnerabilities by sending an email to:
+
+[urfave-security@googlegroups.com](mailto:urfave-security@googlegroups.com)
+
+You should expect a response within 48 hours and further
+communications to be decided via email. The `urfave/cli` maintainer
+team comprises volunteers who contribute when possible, so please
+have patience :bow:
+
+[^1]: The `v1.22.x` series will receive bug fixes and security
+  patches only.
