From a21abf249cdfd12ef71fb72e69ff06372e81bbe3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Thu, 25 Feb 2021 11:41:38 +0100
Subject: [PATCH] Add SECURITY.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

There was no mention of our security email address, nor of our security
process, in the repo, which made them hard to discover for contributors.

Also, this filename is recognized by github:
https://docs.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 SECURITY.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..baf4468db
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,18 @@
+## Reporting Vulneratibilities
+
+If you think you have found an Mbed TLS security vulnerability, then please
+send an email to the security team at
+<mbed-tls-security@lists.trustedfirmware.org>.
+
+## Security Incident Handling Process
+
+Our security process is detailled in our [security
+center](https://developer.trustedfirmware.org/w/mbed-tls/security-center/).
+
+Its primary goal is to ensure fixes are ready to be deployed when the issue
+goes public.
+
+## Maintained branches
+
+Only the maintained branches, as listed in BRANCHES.md, get security fixes.
+Users are urged to always use the latest version of a maintained branch.