Merge branch 'main' into docs/contrib-ladder-proposal

README.md

@@ -1,4 +1,4 @@
-# <img alt="Logo" width="50px" src="./assets/oscal-compass-icon-800x800.png" style="vertical-align: middle;" /> OSCAL Compass Community
+# <img alt="Logo" width="50px" src="./assets/oscal-compass-icon-1200x1200.png" style="vertical-align: middle;" /> OSCAL Compass Community
 
 ## Welcome to the OSCAL Compass Community repository
 

SECURITY.md

@@ -0,0 +1,48 @@
+# OSCAL Compass Security Policy
+
+This policy describes OSCAL Compass security and disclosure information.
+
+## Reporting a vulnerability
+
+To report a vulnerability, either:
+
+1. Report it on Github directly you can follow the procedure described
+   [here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)
+   and:
+
+    - Navigate to the security tab (e.g. `trestle` [security tab](https://github.com/oscal-compass/compliance-trestle/security)) on the repository
+    - Click on 'Advisories'
+    - Click on 'Report a vulnerability'
+    - Detail the issue, see below for some examples of info that might be
+      useful including.
+
+2. Send an email to `[email protected]` detailing the issue and impacted project(s).
+
+### What to include
+
+Make sure to include all the details that might help maintainers better understand and prioritize it, for example here is a list of details that might be worth adding:
+
+* Versions of impacted project(s) used
+* Detailed list of steps to reproduce the vulnerability
+* Consequences of the vulnerability
+* Severity you feel should be attributed to the vulnerabilities
+* Screenshots or logs
+
+## Public Disclosure
+
+Vulnerabilities once fixed will be shared publicly as a Github [security
+advisory](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)
+and mentioned in the fixed versions' release notes.
+
+## Supported Versions
+
+All OSCAL Compass projects follow [Semantic Versioning](https://semver.org/) terminology and are expressed as x.y.z:
+- where x is the major version
+- y is the minor version
+- and z is the patch version
+
+Security fixes are typically addressed in the main branch and may be backported to one prior minor release depending on severity and feasibility.
+
+## Acknowledgments
+
+Parts of this policy were adapted from the Crossplane [security policy](https://github.com/crossplane/crossplane/blob/master/SECURITY.md)