[Required] Clearly defined and discoverable process to report security issues.

[avishnu]

No description provided.

[tiagolobocastro]

Will create something tweaked from the template: https://github.com/cncf/tag-security/blob/main/community/resources/project-resources/templates/SECURITY.md

[tiagolobocastro]

Also btw the security guidelines.

[tiagolobocastro]

Security policy

Security bulletins

For requesting any information regarding the security of this project please join:

• Slack

Reporting a vulnerability

GitHub
is the preferred method for privately reporting a security vulnerability.

1. Fill out the form on the GitHub Security Reporting
   • You will receive a confirmation email upon submission
2. You may be contacted by the maintainers to further discuss the reported item.
   Please bear with us as we seek to understand the breadth and scope of the
   reported problem, recreate it, and confirm if there is a vulnerability
   present.

Public Disclosure Timing

We prefer to fully disclose the bug as soon as possible once a user mitigation is available.
The Fix Lead drives the schedule using their best judgment based on severity, development time, and release manager feedback. If the Fix Lead is dealing with a Public Disclosure all timelines become ASAP.

Supported Versions

OpenEBS releases follow the semver specification.
Security fixes are typically merged to the HEAD branch and due for release on the next minor version.
Upon request or if deemed necessary as part of a critical security fix we may backport the changes as a patch release.

[tiagolobocastro]

How does this look?