docs: add security policy (#267)

Signed-off-by: Felipe Zipitria <[email protected]>

SECURITY.md

@@ -0,0 +1,33 @@
+# Security Policy
+
+This document includes information about the vulnerability reporting, patch,
+release, and disclosure processes, as well as general security posture.
+
+# Reporting Security Issues
+
+Vulnerabilities are reported privately via GitHub's
+[Security Advisories](https://docs.github.com/en/code-security/security-advisories)
+feature. Please use the following link to submit your vulnerability:
+[Report a vulnerability](https://github.com/coreruleset/go-ftw/security/advisories/new)
+
+Please see
+[Privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability)
+for more information on how to submit a vulnerability using GitHub's interface.
+
+Our vulnerability management team will respond within 3 working days of your
+email. If the issue is confirmed as a vulnerability, we will open a
+Security Advisory and acknowledge your contributions as part of it. This project
+follows a 90 day disclosure timeline.
+
+
+### When Should I Report a Vulnerability?
+
+- You think you discovered a potential security vulnerability in go-ftw
+- You are unsure how a vulnerability affects go-ftw
+- You think you discovered a vulnerability in another project that go-ftw depends on
+  - For projects with their own vulnerability reporting and disclosure process, please report it directly there
+
+### When Should I NOT Report a Vulnerability?
+
+- You need help applying security related updates
+- Your issue is not security related