Create security policy

[znewman01]

e.g. SECURITY.md

Worth modifying the issue/PR templates too.

Motivation: #369 (which was fine! it didn't violate any guidelines because go-tuf had none 😄)

[znewman01]

Make sure to compare with other TUF-ecosystem policies.

[joshuagl]

AFAIK GitHub doesn't have any tooling to support a private reporting mechanism for maintainers, any thoughts on a good approach for this? Managing a mailing list feels like too much, do we list maintainer email addresses and GPG keys in SECURITY.md?

[mnm678]

AFAIK GitHub doesn't have any tooling to support a private reporting mechanism for maintainers, any thoughts on a good approach for this? Managing a mailing list feels like too much, do we list maintainer email addresses and GPG keys in SECURITY.md?

emails and GPG keys is the approach used by other TUF implementations. It's not the easiest to use, but seems like the best option.

[trishankatdatadog]

How about a Google Form? Seems like the biggest bang for the buck.

[trishankatdatadog]

An example from Uptane

[trishankatdatadog]

Example policy from tough

[trishankatdatadog]

Can probably use this template

[znewman01]

Can probably use this template

That seems a little circular: it asks for a link to a security policy 😛

The OpenSSF has a guide to choosing a disclosure policy here that might be useful: https://github.com/ossf/oss-vulnerability-guide

[asraa]

AIs:

• Create a Google Form submission form with direct maintainer emails (MUST)
• Create a SECURITY.md (MUST)
• Move to a mailing list with perms (COULD)
• Create a small job or a placeholder to revisit the members of that mailing list (COULD)