SECURITY: Update policy to better describe disclosure and remediation

Signed-off-by: Stephen Augustus <[email protected]>

SECURITY.md

@@ -1,24 +1,51 @@
-# Reporting Security Issues
-
-<!-- TODO: Adapt any useful components from previous policy.
-
-- Where should issues be reported?
-- What goes in a report?
-  - a description of the issue
-  - the steps required to recreate the issue
-  - affected versions
-  - (if known) mitigations for the issue
-- What is the project's response time?
-- What happens next?
-- How are contributions acknowledged?
-- Is there a disclosure timeline?
--->
-
-Per the [Linux Foundation Vulnerability Disclosure Policy](https://www.linuxfoundation.org/security),
-if you find a vulnerability in a project maintained by the Open Source Security
-Foundation (OpenSSF), please report that directly to the project maintaining
-that code, preferably using GitHub's [Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
-
-If you've been unable to find a way to report it, or have received no response
-after repeated attempts, please contact the OpenSSF security contact email,
-[[email protected]](mailto:[email protected]).
+# OpenSSF Scorecard Security Policy
+
+This document outlines security procedures and general policies for the
+OpenSSF Scorecard project.
+
+- [Disclosing a security issue](#disclosing-a-security-issue)
+- [Vulnerability management](#vulnerability-management)
+- [Suggesting changes](#suggesting-changes)
+
+## Disclosing a security issue
+
+The OpenSSF Scorecard maintainers take all security issues in the project
+seriously. Thank you for improving the security of OpenSSF Scorecard. We
+appreciate your dedication to responsible disclosure and will make every effort
+to acknowledge your contributions.
+
+OpenSSF Scorecard leverages GitHub's private vulnerability reporting.
+
+To learn more about this feature and how to submit a vulnerability report,
+review [GitHub's documentation on private reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability).
+
+Here are some helpful details to include in your report:
+
+- a detailed description of the issue
+- the steps required to reproduce the issue
+- versions of the project that may be affected by the issue
+- if known, any mitigations for the issue
+
+A maintainer will acknowledge the report within 72 hours, and will send a more
+detailed response within an additional 72 hours indicating the next steps in
+handling your report. After the initial reply to your report, the maintainers
+will endeavor to keep you informed of the progress towards a fix and full
+announcement, and may ask for additional information or guidance.
+
+## Vulnerability management
+
+When the maintainers receive a disclosure report, they will assign it to a
+primary handler.
+
+This person will coordinate the fix and release process, which involves the
+following steps:
+
+- confirming the issue
+- determining affected versions of the project
+- auditing code to find any potential similar problems
+- preparing fixes for all releases under maintenance
+
+## Suggesting changes
+
+If you have suggestions on how this process could be improved please submit an
+issue or pull request.