SECURITY.md: Add in a security policy

obgm · Aug 14, 2023 · c8a305a · c8a305a
1 parent 8d81c9a
commit c8a305a
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,33 @@
+# Security Policy
+
+## No Warranty
+
+Per the terms of the BSD-2-Clause license, libcoap is offered "as is" and
+without any guarantee or warranty pertaining to its operation. While every
+reasonable effort is made by its maintainers to ensure the product remains
+free of security vulnerabilities, users are ultimately responsible for
+conducting their own evaluations of each software release.
+
+## Reporting a Suspected Vulnerability
+
+If you believe you've uncovered a security vulnerability and wish to report
+it confidentially, you may do so via email. Please note that any reported
+vulnerabilities **MUST** meet all the following conditions:
+
+* Affects the most recent stable release of libcoap, or a current beta release
+* Is reproducible following a prescribed set of instructions
+
+Please note that we **DO NOT** accept reports generated by automated tooling
+which merely suggest that a file or file(s) _may_ be vulnerable under certain
+conditions, as these are most often innocuous.
+
+If you believe that you've found a vulnerability which meets all of these
+conditions, please email a brief description of the suspected bug and
+instructions for reproduction to **libcoap-security@tzi.org**. Please do NOT
+create a public GitHub issue.
+
+### Bug Bounties
+
+As libcoap is provided as free open source software, we do not offer any monetary
+compensation for vulnerability or bug reports, however your contributions are greatly
+appreciated.